Assemble Reference

INI Sections

Section: [RuleNum]

Key	Description	Example
numberofrules	This key indicates how many rules are contained in the INI file.	Example: numberofrules=3
admindevicespaceid*supported in VSP/Core version 7.0 and higher	This key indicates the API account delegated administrator device space ID. The ID for the Global space is “1” and is the default setting for this Assemble key.	Example:admindevicespaceid=1
connectedcloud	This key indicates if the VSP is a Connected Cloud appliance host by MobileIron.The default setting is connectedcloud=no.	Example:Connectedcloud=yes
numberofrules_as	This key indicates how many Activesync rules are contained in the INI file.	Example: numberofrules_as=1
sleeptime	This key controls the number of milliseconds between actions sent to the VSP. For example, if sleeptime is set to 2000 and 50 devices are being retired there will be a pause of 2000 milliseconds for each ‘Retire Device’ API call to keep a flood of API calls from overloading the VSP. The total time to retire all 50 devices will be 100 seconds. If sleeptime is not set, the default value is set to 2000 milliseconds.	Example: sleeptime=2000
action_max	This key specifies the maximum number of devices to take actions. If more devices match the Assemble rules for the specified action in “action_max_actions” than the number set for “action_max”, Assemble will not take the action on any devices and log the number of devices has exceeded the max setting.The default setting is 50. To set no limit, set “action_max=0”.	action_max=500
action_max_actions	This key specifies the actions to enforce with the “action_max” setting. If more devices match the Assemble rules for the specified action in “action_max_actions” than the number set for “action_max”, Assemble will not take the action on any devices and log the number of devices has exceeded the max setting.The default setting is “any” which will enfoce the “action_max” setting for the supported action types.The supported action types for “action_max_actions” are: · retire · wipe   The default limit for “action_max” is 50. To set no limit, set “action_max=0”.   Multiple actions for this setting must be comma delimited.	action_max_actions=retire,wipe
activedevicedownload	This key specifies which device details are downloaded to run against Assemble rules. 1. activedevicedownload=active This is the default setting and downloads all active device details regardless of OS or label membership. 2. activedevicedownload=label:labelname This setting only downloads active device details for devices that are members of the labelname specified in this INI key value3. activedevicedownload=IENROLL_VERIFIED Enrollment verified devices for iPhone and WebOS4. activedevicedownload=IENROLL_INPROGRESS Enrolling devices for iPhone and WebOS5. activedevicedownload=IENROLL_COMPLETE Enrolled devices for iPhone and WebOS6. activedevicedownload=INFECTEDVirus Infected devices7. activedevicedownload=LOSTLost devices8. activedevicedownload=RETIREDRetired devices9. activedevicedownload=VERIFIEDRegistration Verified devices10. activedevicedownload=VERIFICATION_PENDINGVerification Pending devices11. activedevicedownload=EXPIREDExpired devices12. activedevicedownload=WIPEDWiped devices13. activedevicedownload=updatedwithin:60All Active devices which have updated information within the last 60 minutes. You can specify any numberical minute setting.NOTE: This does not return Windows devices.14. activedevicedownload=updatedwithin:60&status=RetiredAll Retired devices which have updated information within the last 60 minutes. You can specify any numberical minute setting. You can also specify any device status seen in #3-12 above (e.g. Wiped).NOTE: This does not return Windows devices.Note: If the list of devices is empty, the Assemble run will log and terminate.	Example: activedevicedownload=label:iosDefault:activedevicedownload=active
api_paging	Assemble previously requested all devices at once from the API using the rule key “activedevicedownload”. This could cause performance issues on Core when there were thousands of matching devices. This could also cause Core to take a long time to respond as it constructed the reply contain all devices. It could also cause timeout issues.Starting is Assemble 37.9, paging has been implemented to ask for a range of devices at at time. The default setting is to ask for 500 devices at a time. Example:If there are 5000 active devices, Assemble will make 10 API requests asking for 500 devices with each request with the setting “api_limit” set to the default 500.This avoids the previously mentioned issues. While this paging option is currently only used when querying the API for devices of a specific status or label members because these typically have the highest number of devices returned, it will be applied to other API queries over time.NOTE: It is strongly recommended to not disable this function unless instructed to do so by MobileIron support.	Example:api_paging=noDefault:api_paging=yes
api_limit	This setting controls how many devices are requested with each API query.Example:If there are 5000 active devices, Assemble will make 10 API requests asking for 500 devices with each request with the setting “api_limit” set to the default 500.NOTE:While “api_limit” can be set to any number, it is strongly recommended to not increase it beyond the default setting of 500 unless instructed to do so by MobileIron support.	Example:api_limit=250Default:api_limit=500
apptunnel_list	This key downloads a list of all AppTunnel entries from Core. This list can then be used by Assemble rules to check for devices that have or don’t have AppTunnel entries.When this key is set, the variable “tunnelEstablished” can be used in reports to show there has been at least one Tunnel established with a Sentry for the device.	apptunnel_list=yes
activedevicedownloadv2*Supported in Core 7.0 and higher. It requires the Assemble user be a member of the Global space, have the API role and have “View dashboard, device page, device details” enabled under Device Management.	This setting is only applicable for use with the V2APIActions setting. No other Assemble functions are available for use with “activedevicedownloadv2” setting outside of the “V2APIActions” setting.This tells Assemble to query for devices using an Advanced Search query string via a V2 API.You can create an Advanced Search query in the Devices page. Once you have your query built, you can copy and paste it into your activedevicedownloadv2 setting.Example for query matching devices registered with ‘testuser’ that have the status ‘ACTIVE’.Query is:"user.user_id" = "testuser" AND "common.status" = "Active"The query must be surrounded by single quotes in the activedevicedownloadv2 setting.Example:activedevicedownloadv2= '"user.user_id" = "testuser" AND "common.status" = "ACTIVE"'Assemble will pull all device UUIDs for devices matching the query. Those devices will have the actions defined in “V2APIAction” applied.The key “numberofrules” should be set as “numberofrules=0” because the matching of devices is done by Core with the set query value.	activedevicedownloadv2= '"common.status" = "ACTIVE" AND "common.current_phone_number" contains "PDA"'
V2APIAction*Supported in Core 7.0 and higher. It requires the Assemble user be a member of the Global space, have the API role and have “View dashboard, device page, device details” enabled under Device Management.	The actions listed in this setting are only taken for device that match the query specified in activedevicedownloadv2. The actions are taken in order. If multiple actions are listed, they must be comma separated.Example:V2APIAction=applylabel:yourlabel,wakeupIn this example, matching devices will have the label “yourlabel” applied and then a force checkin will applied to the devices.The following actions are supported. ² Unlock ² Lock Wipe Retire Applylabel:lablename Removelabel:labelname Wakeup Delete This deletes retired devices from Core if they were retired over 24 hours in the past. compliancecheck	Example: V2APIAction=applylabel:LABELNAME,wakeup
V2CSVReport*Supported in Core 7.0 and higher. It requires the Assemble user be a member of the Global space, have the API role and have “View dashboard, device page, device details” enabled under Device Management.	This key utilizes the following V2 API to download a CSV file of devices.POST api/v2/devicesThe default setting is “no”.Example rules.ini file content for a report containing all devices with the status “Active”:[RuleNum] numberofrules=0V2CSVReport = "yes"V2CSVReport_location = "c:\assemble\reports\"V2CSVReport_name = "activedevicereport"V2CSVReport_query = '"common.status" = "Active"'V2CSVReport_fieldgroups = "BASIC,COMMON,ANDROID,IOS,USER,WINDOWS_PHONE"	Example:V2CSVReport = "yes"
V2CSVReport_location	When “V2CSVReport” is set with “yes”, this key specifies the location of the CSV report.The default setting is the working directory.	Example:V2CSVReport_location = "c:\assemble\reports\"
V2CSVReport_name	When “V2CSVReport” is set with “yes”, this key specifies the name of the report.The default setting is “CoreReport”.	Example:V2CSVReport_name = "ActiveDevicesReport"
V2CSVReport_timestamp	When “V2CSVReport” is set with “yes”, this key specifies if a time stamp should be added as a report name suffix.The default setting is “yes”.	Example:V2CSVReport_timestamp = "no"
V2CSVReport_query	When “V2CSVReport” is set with “yes”, this key specifies the Advanced Search query used to filter devices in the CSV report.The default setting is blank which will match all devices.You can create an Advanced Search query in the Devices page. Once you have your query built, you can copy and paste it into your activedevicedownloadv2 setting.Example for query matching devices registered with ‘testuser’ that have the status ‘ACTIVE’.Query is:"user.user_id" = "testuser" AND "common.status" = "Active"The query must be surrounded by single quotes in the activedevicedownloadv2 setting.Example:V2CSVReport_query = '"user.user_id" = "testuser" AND "common.status" = "ACTIVE"'The key “numberofrules” should be set as “numberofrules=0” because the matching of devices is done by Core with the set query value.	Example:V2CSVReport_query = '"common.status" = "Active"'
V2CSVReport_labelid	When “V2CSVReport” is set with “yes”, this key specifies the label Id number for filtering devices in the CSV report.This value will be ignored if there is any value for “V2CSVReport_query”. This is because both an Advanced Search query and a label Id filter cannot be used at the same time for the V2 API “POST api/v2/devices”. The default setting is blank.To determine a label’s Id, you can use one of the following APIs.V1:/api/v1/dm/labelsV2:/api/v2/label_summary?adminDeviceSpaceId=1This API requires a RESTful client such as Postman for it to be used within a browser. This is because you must set the header “Content-Type” to “application/json” and headers cannot be controlled by default is most browsers.	Example:V2CSVReport_labelid = "-10"
V2CSVReport_fieldgroups	When “V2CSVReport” is set with “yes”, this key specifies the groups of fields to include in the CSV report.The default setting is “BASIC,COMMON,ANDROID,IOS,USER,WINDOWS_PHONE”.For a list of fields in each group, see V2 API Field Groups.	Example:V2CSVReport_fieldgroups = "BASIC,COMMON,ANDROID,IOS,USER,WINDOWS_PHONE"
V2CSVReport_limit	When “V2CSVReport” is set with “yes”, this key specifies the maximum number of devices to return. The default setting is “20000”.	Example:V2CSVReport_limit = 300000
V2DEPExportCSV*Supported in Core 7.0 and higher. It requires the Assemble user be a member of the Global space, have the API role and have “Manage device enrollment (iOS only)” enabled under Device Management.	This key utilizes the following V2 API to download a CSV file of Apple DEP account and associated devices.GET api/v2/dep/accounts/{accountId}/csvdevicesThe default setting is “no”.Example rules.ini file content for a report of Apple DEP accounts and associated devices:[RuleNum]numberofrules=0sleeptime=20V2DEPExportCSV=yesV2DEPExportCSV_location=c:\assemble\reportsV2DEPExportCSV_name=DEPExportV2DEPExportCSV_timestamp=yes	Example:V2DEPExportCSV = "yes"
V2DEPExportCSV_location	When “V2DEPExportCSV” is set with “yes”, this key specifies the location of the CSV report.The default setting is the working directory.	Example:V2DEPExportCSV_location = "c:\assemble\reports\"
V2DEPExportCSV_name	When “V2DEPExportCSV” is set with “yes”, this key specifies the name of the report.The default setting is “DEPReport”.	Example:V2DEPExportCSV_name = "DEPReport"
V2DEPExportCSV_timestamp	When “V2DEPExportCSV” is set with “yes”, this key specifies if a time stamp should be added as a report name suffix.The default setting is “yes”.	Example:V2DEPExportCSV_timestamp = "no"
V2DEPExportCSV_limit	When “V2DEPExportCSV” is set with “yes”, this key specifies the maximum number of devices to return. The default setting is “20000”.	Example:V2DEPExportCSV_limit = 300000
V2DEPExportCSV_ApplyLabel	When “V2DEPExportCSV” is set with “yes”, this key will assign a label to non-retired iOS devices with a serial number matching a serial number in a DEP profile.The name of the label assigned is the same name as the Enrollment Profile. A label with the same name must already exist in Core. If the Enrollment Profile name contains a comma, replace the comma with a space in the label name.	V2DEPExportCSV_ApplyLabel = yes
V2DEPDefaultEnrollmentProfile*Supported in Core 7.0 and higher. It requires the Assemble user be a member of the Global space, have the API role and have “Manage device enrollment (iOS only)” enabled under Device Management.	This key enables the setting of a default enrollment profile for all devices in any DEP account already uploaded to Core.	V2DEPDefaultEnrollmentProfile=yes
V2DEPDefaultEnrollmentProfileName	This key specifies the name of the enrollment profile. The enrollment profile must have already been created in the DEP account. The exact name of the enrollment profile must used in order for Assemble to ascertain the enrollment profile ID which is necessary for assignment to devices.	V2DEPDefaultEnrollmentProfileName= "Company Default Enrollment Profile"
V2DEPDefaultEnrollmentProfileDeviceFilterType	This optional key allows filtering devices to only assign a default enrollment profile to matching devices. The support filter type supported is “model”. This allows you to filter for only specified models. The operator “contains” is used for the comparison.Example:If only iPads and iPhones are to have default enrollment profiles assigned, set the following:V2DEPDefaultEnrollmentProfileDeviceFilterType=modelV2DEPDefaultEnrollmentProfileDeviceFilterValue=ipad,iphoneComma separated values are evaluated with an OR operator (e.g. model contains ipad OR model contains iphone). Device models can be seen in the Core UX in the column “MODEL” after clicking on the number of devices for a DEP account.If this key is not set, all unassigned devices in a DEP account are assigned the specified enrollment profile.	V2DEPDefaultEnrollmentProfileDeviceFilterType=model
V2DEPDefaultEnrollmentProfileDeviceFilterValue	If the following key is set, this key value is used to match the filter type value for each device in a DEP account. V2DEPDefaultEnrollmentProfileDeviceFilterTypeExample:If only iPads and iPhones are to have default enrollment profiles assigned, set the following:V2DEPDefaultEnrollmentProfileDeviceFilterType=modelV2DEPDefaultEnrollmentProfileDeviceFilterValue=ipad,iphoneComma separated values are evaluated with an OR operator (e.g. model contains ipad OR model contains iphone). Device models can be seen in the Core UX in the column “MODEL” after clicking on the number of devices for a DEP account.	V2DEPDefaultEnrollmentProfileDeviceFilterValue=ipad,iphone
V2ExtractValuesQuery	This key is used to pull a list of devices that match an Advanced Search query. It is used in combination with V2ExtractValuesQueryField to pull a list of values for a single specific field to be used in Assemble rules.Example:[RuleNum] numberofrules=1V2ExtractValuesQuery='"user.ldap.groups.name" = "MobileUsers"'V2ExtractValuesQueryField = "user.user_id"[Rule1]NumberofElements=1Action=reportActionReason=Report for users in AD group MobileUsersreportsend=yesreportname= MobileUsers_Devicesreportlocation=C:\assemble\Reports\reportmessage=Devices for users in AD group MobileUsersreportvar=uuid,principal,emailaddress,currentphonenumber,manufacturer,model_universal	V2ExtractValuesQuery='"user.ldap.groups.name" = "MobileUsers"'
Element1_trigger=principalElement1_description=user IDs returned by Advanced Search QueryElement1_operator=equalsElement1_source=V2ExtractValuesQueryFieldThis example pulls a list of all devices where the user is a member of the AD/LDAP group MobileUser. For those devices, only the values for the field “user.user_id” are returned. Those values are then fed into the Assemble rule using the special setting “Element1_source=V2ExtractValuesQueryField” similar to reading a list of values from a manually created file using “Element1_source=”c:\userid.csv”. Because the field “user_user_id” in the V2 API is the equivalent of the V1 API file “principal”, using the trigger “Element1_trigger=principal” compares the principal name value for each device with the list of user.user_id values for a match.
V2ExtractValuesQueryField	This setting specifies the field name values to request for device matching the Advanced Search query set in V2ExtractValuesQuery. Only one field name can be included.The field values returned can then be used in the Assemble rule element “ElementX_source”. Assemble will check each of the values against the specified trigger.	V2ExtractValuesQueryField = "user.user_id"
bulkaction_retire	Assemble performs bulk retire actions by default. Adding a reason for retiring devices is not supported by the VSP bulk action API. If a reason needs to be added, the bulk retire API cannot be used and Assemble must retire devices one at a time.Setting bulkaction_retire=no will disable bulk retiring and allow Assemble to include a reason in the retire API one device at a time.The reason string is pulled from the key “ActionReason” in the [RuleX] section.	bulkaction_retire=no
bulkaction_wipe	Assemble performs bulk wipe actions by default. Adding a reason for wiping devices is not supported by the VSP bulk action API. If a reason needs to be added, the bulk retire API cannot be used and Assemble must retire devices one at a time.Setting bulkaction_wipe=no will disable bulk wiping and allow Assemble to include a reason in the retire API one device at a time.The reason string is pulled from the key “ActionReason” in the [RuleX] section.	bulkaction_wipe=no
certificatesreport	When setting “reportcertificates=yes” in the section [RulesX] to add all certificates for matching iOS devices in a report, it is necessary to set “certificatesreport =yes” to generate the headers for the certificate data in the report.NOTE: This is for iOS devices only. Other operating systems will display N/A in each column.	Example: certificatesreport=yes
details_custom1-10	Assemble is hard coded to look for specific device details such as OSVersion and Platform. As new device details are added, Assemble has the flexibility to support them before they are explicitly added as new device details Assemble checks.Using “details_customX”, new device details can be supported. Up to 10 custom device details can be specified and used in rules and reports.Example:A new device details for iOS was added in VSP version 5.8 called "IsDeviceLocatorServiceEnabled" to for iOS7 devices. This has not yet been explicitly added to Assemble as a supported device detail.A report can be created to show all devices where IsDeviceLocatorServiceEnabled is “true”.[RuleNum] numberofrules=1sleeptime=200 delimeter=,details_custom1 = "IsDeviceLocatorServiceEnabled"[Rule1] NumberofElements=1 Action=report ActionReason=DeviceLocatorServiceEnabled reportreportsend=yesreportname=DeviceLocatorServiceEnabled_Reportreportlocation=C:\assemble\reports\reportmessage=DeviceLocatorServiceEnabledreportvar=emailAddress,uuid,iphoneudid,platform,model_universal,principal,details_custom1Element1_trigger=details_custom1Element1_description=DeviceLocatorServiceEnabled equals trueElement1_operator=equalsElement1_source=local Element1_value=true	details_custom1= IsDeviceLocatorServiceEnabled
AppCategory will show the categories for the app in AppDistribution if 1) the app was installed from Apps@Work, 2) the device OS is iOS or Android and 3) if “vspdetails=yes” is set in the section [RuleNum]. This requires the Assemble user have all administration roles. For Core 9.0 and higher, you can lookup apps by app bundle name instead of app name if you also set “appnames_bundleid=yes”. This is much more accurate because the name of an app can change from version to version. But the bundle name is always consistent.
labelsreport	When setting “reportlabels=yes” in the section [RulesX] to add all labels for matching devices in a report, it is necessary to set “labelsreport=yes” to generate the headers for the label data in the report.	Example: labelsreport=yes
labelcheck	This key specifies if Assemble should check if a device is or is not a member of a label before applying or removing the label when using the actions “applylabel” or “removelabel”.The default setting is “labelcheck=yes”.	Example:labelcheck=no
license_report	This key creates a report for a license count for the following: ² Total Active Devices Android iOS Windows Mobile Windows Phone 8 Windows Pro/RT OSX Web@Work Docs@Work AppConnect W@W&D@W&AC (this indicates the number of devices with Web@Work, Docs@Work and AppConnect policies applied)   The numbers break down the total number of devices and then by OS. They also show how many devices are using the various features that can be licensed separately.   A separate Web@Work, Docs@Work, AppConnect and W@W&D@W&AC CSV report will also be created which lists all the matching devices for each category. Each report will include the following information.	license_report=yes
² Total Devices ² Device Number DeviceUUID Principal Model PhoneNumber   The name of the separate reports will be:   ² YourReportName_Web@Work_timestamp ² YourReportName_Docs@Work_timestamp YourReportName_AppConnect_timestamp YourReportName_ W@W&D@W&AC _timestamp
license_reportname	² This key specifies the name of the license report. A timestamp is appended to the end of the report.	license_reportname="VSP1"
license_report_location	This key specifies the location of the license report.	license_report_location=c:\assemble\reports\
log_purge	This key specifies if old Assemble log files should be deleted.The default setting is “yes”.	Example:log_purge=no
log_purge_age	This key specifies the age of Assemble log files in days to delete. If the log file is older than the number of days specified it will be deleted. Any files with the name assemble*.log will be checked.The default setting is “7”.This will also delete appnames_timestamp.ini files that are older than the number of days specified.	Example:log_purge_age=14
loglevelsetting	This key specifies the Assemble logging level. The two settings are: 1. Normal Normal logging show only basic log details such as connection settings, rule matches and actions sent to the VSP. It does not include details for devices that do not match Assemble rules. 2. Verbose Verbose logging is the default setting. The log detail is the same as Assemble version previous than 13.5. It includes all possible logging including details for devices that do not match Assemble rules.	Example:loglevelsetting=normal
logmilliseconds	This key specifies if milliseconds should be included in the log file timestamps.It is recommended to only set this key to “yes” for troubleshooting. It can significantly increase the size of the log file and may increase Assemble run times. The default setting is “logmilliseconds=no”.	Example: logmilliseconds=yes
linkldapusers	When linkldapusers equals “yes”, Assemble will automate the function “Link to LDAP User” in the VSP User Management section. The function takes a local user account and updates it to a LDAP user if the username exists in LDAP/Active Directory.The list of local users names can be specified in the rule.ini file in the key “linkldapusers_users” or in a CSV file using the key “linkldapusers_csv”.	Example:linkldapusers=yes
linkldapusers_users	When setting linkldapusers=yes, the key linkldapusers_users allows you to enter a list of comma separated local usersnames to link to LDAP/AD.	Example:linkldapusers_users=user1,user2,user3
linkldapusers_csv	When setting linkldapusers=yes, the key linkldapusers_csv allows you to enter the path to a CSV containing comma separated local usersnames to link to LDAP/AD.	Example:linkldapusers_csv=c:\assemble\userslocal.csv
memorystats	This key dump Assemble and system memory statistics into the Assemble log file. The stats are logged at the beginning of the Assemble run and at every 100 devices parsed by the Assemble rule set (device 1, 101, 201, etc.)This can be useful for monitoring Assemble memory usage, but it is not recommended to enable this function unless troubleshooting problems such as the error message “Error allocating memory” when Assemble crashes because there is not enough available system memory.	memorystats=yes
delimiter	This key controls the delimiter that is used for separating multiple element values. If delimiter is not set, Assemble will default to using a comma as a delimiter. However in some cases a comma will not work. I want to apply a label only to Samsung Android devices that have the specific API needed to configure email and device restrictions. The device detail Samsung_DM may need to equal “FW: Key2,0 SW:1.0” or “FW: Key2,0 SW:1.0” Element1_value= FW: Key2,0 SW:1.0,FW: Key2,0 SW:1.0 If the default comma delimiter is used the element value would be split into four checks instead of two. 1. FW: Key2 2. 0 SW:1.0 3. FW: Key2 4. 0 SW:1.0 If you change the delimiter to a different character such as “|”you can get the results you need. Element1_value= FW: Key2,0 SW:1.0|FW: Key2,0 SW:1.0 1. FW: Key2,0 SW:1.0 2. FW: Key2,0 SW:1.0	Example: delimiter=|
ad_data	This key indicates if an Active Directory connection is made to support triggers and syslog/report variables that pull user attributes.ActiveDirectory connection information must be included in the vsp.ini file. See AD Connection and Authentication.	Example: ad_data=yes
ad_disabled	This key indicates after an Active Directory connection that the list of disabled accounts will be downloaded. Downloading the list of disabled accounts is necessary when using the trigger ad:disabled which allows actions to be taken against devices registered under AD accounts that are disabled. By default this key is set to ‘yes’.The key “ad_data” must be set to “yes” and ActiveDirectory connection information must be included in the vsp.ini file. See AD Connection and Authentication.	Example: ad_disabled=no
ad_disabled_export	This key saves the list of disabled ActiveDirectory accounts to a CSV file. The key ad_disabled must not be set to “no”.	Example: ad_disabled_export=yes
ad_disabled_export_name	This key indicates the name of the CSV file using to export disabled Active Directory accounts. The CSV file will be saved to the same folder as the Assemble executable. If the file name already exists it will be overwritten. The default name is “ad_export.csv”.	Example: ad_disabled_export_name=addisabledusers.csv
ad_disabled_email	This key indicates after an Active Directory connection that the list of disabled account email addresses will be downloaded. Downloading the list of disabled account email addresses is necessary when using the trigger ad:disabled:email which allows actions to be taken against devices registered under AD accounts that are disabled. By default this key is set to ‘no’.The key “ad_data” must be set to “yes” and ActiveDirectory connection information must be included in the vsp.ini file. See AD Connection and Authentication.	Example: ad_disabled_email=no
ad_disabled_custom	Set this key with “yes” to have Assemble read and utilize the key ad_disabled_custom_attributename.	ad_disabled_custom=yes
ad_disabled_custom_attributename	This key indicates after an Active Directory connection that the list of disabled account attribute values that will be downloaded. Example:Setting “ad_disabled_custom_attributename=userPrincipalName” will download a list of the attribute value “userPrincipalName” for all disabled AD accounts.Downloading the list is necessary when using the trigger ad:disabled:custom:devicedetailname” which allows actions to be taken against devices registered under AD accounts that are disabled. By default this key is set to “NotFound” and is not utilized.The key “ad_data” must be set to “yes” and ActiveDirectory connection information must be included in the vsp.ini file. See AD Connection and Authentication.	Example: ad_disabled_custom_attributename=userPrincipalName
ad_custom1_attributead_custom2_attributead_custom3_attributead_custom4_attributead_custom5_attribute	These keys specify custom Active Directory user attributes to be used in reports and syslog messages. The following attributes are explicitially supported without setting custom attributes. ² Distinguishedname ² Useraccountcontrol Samaccountname Memberof Department Employeeid   See the keys “reportvar”, “syslogvar” and “commentvar” in section [RuleX] for adding AD attributes to reports, syslog messages and setting device comments.	Example:ad_custom1_attribute = "title"ad_custom2_attribute = "description"ad_custom3_attribute = "postalcode"ad_custom4_attribute = "telephonenumber"ad_custom5_attribute = "whencreated"
devicehistory	This key indicates if all the current details for each device are cached in devicehistory.ini. This file contains details for only the last run of Assemble. It is used with the trigger “history” that allows comparing the current value of a device detail to the previous value.	Example: devicehistory=yes
devicehistory_var	This key specifies which device details to record between Assemble runs for comparison. The device details must be comma separated with no spaces. Any device detail can be used, but any details with white space must have the white space removed (i.e. “iPhone UDID” should be changed to “iPhoneUDID”. If devicehistory_var is not set and devicehistory=yes, the Assemble will record all device details.	Example:devicehistory_var=uuid,currentphonenumber,compliancecode
activedevicefile	This key specifies a cached download of active device details from the VSP. If this key is set, Assemble will not download fresh active device details and will run all rules from the cached device details in the specified file location	Example: activedevicefile = “C:\assemble\cache\activedevicedetails.xml”
activedevicefiledelete	This key specifies if the file “activedeviceinfo.xml” should be deleted after the Assemble run is complete. The default setting is “yes”. This file can used for troubleshooting purposes.	activedevicefiledelete = no
activedevicecache	This key specifies if and where the download of active device details should be copied. That copied file could be used on a later Assemble run to compare rules against cached device details.	Example: activedevicecache = “C:\assemble\cache\activedevicedetails.xml”
appnames	This key specified all the app names that need to be checked in any of the rules using the trigger app:managed|unmanaged|installed|notinstalled|any. The app names must be listed here for Assemble to download the data showing which devices have the application(s) installed and if the app is managed or unmanaged. Without this key, the trigger will not function. This key can also be set to “all”. This setting is used to create a report that includes all apps installed on a device that matches a rule. It will add the following columns to the report: 1. AppName 2. AppVersion3. AppBundleID 4. AppManaged5. AppCategory When this setting is used, the setting “reportvar” in the rule must include “uuid”.In Assemble 40.5 and higher, the list of app names can be imported from a file. This is necessary with app names contain non-ASCII characters (e.g. Chinese characters). This is because Assemble cannot read non-ASCII characters from a .ini file, but can from other file types. The file being read must be saved in UTF-8 format if it contains non-ASCII characters.Example:appnames=file:appnames_unicode.txt This key has a special setting “Violation” that works with the key appcontroldetails.	Examples: appnames=anyconnect,angry birds,boxappnames=file:appnames_unicode.txt
AppCategory will show the categories for the app in AppDistribution if 1) the app was installed from Apps@Work, 2) the device OS is iOS or Android and 3) if “vspdetails=yes” is set in the section [RuleNum]. This requires the Assemble user have all administration roles. For Core 9.0 and higher, you can lookup apps by app bundle name instead of app name if you also set “appnames_bundleid=yes”. This is much more accurate because the name of an app can change from version to version. But the bundle name is always consistent.Example: [RuleNum] numberofrules=1 appnames=com.mobileiron.ios.e mailplus appnames_bundleid=yes
appnames_bundleid	This key indicates that the apps listed in ‘appnames=’ should be looked up by bundle name/id rather than app name. This is supported in Core 9.0 and higher.This is much more accurate because the name of an app can change from version to version. But the bundle name is always consistent.	appnames_bundleid=yes
appnames_androidversion	When “appnames=all” and “appnames_androidversion=yes”, Assemble will pull the correct version of Android apps into a report.The API that Assemble utilizes to pull each device’s app inventory does not return the field “appVersion”. It only returns the field “version”. For Android devices, the field “version” returns an interger version of an app with a prefix of “M:” for market apps and “N:” for non-market apps (e.g. M:50337). The exact versions of Android apps are only available when using the API to retrieve all discovered apps. That version is contained in the field “appVersion” (e.g. 5.0.8.50337). That API does not also show which devices have that app/version installed.Setting the key “appnames_androidversion” tells Assemble to take the “version” field for each Android app and cross check it against the full list of discovered apps. Assemble will then replace the value for “version” with the value for “appVersion”.NOTE: Setting this key can cause Assemble execution to be much longer. This is because Assemble will have to pull down a full list of all the discovered apps for all operating systems for cross checking.	appnames_androidversion=yes
appnames_verbose	When utilizing appnames=appname, the following variables can be used in reports and syslog messages. ² apps_managedstatus: adds the app name and managed/unmanaged status ² apps_version: adds the app version apps_name: adds the name of the matching app apps_managed: adds only the managed status of the app apps_bundle: adds the bundle name of the matching app However, apps_bundle cannot be pulled using a single API query and must be pulled with one API query for each device with the app installed. Setting appnames_verbose=yes enables Assemble to pull the bundle name/id for the app for each device for reports and syslog messages.	appnames_verbose=yes
appcontroldetails*	*This function requires a user account with both the API role AND the roles Smartphones Inventory, Policies, and Smartphone Manager Settings This key must be combined with setting the key appnames for reporting. When appcontroldetails is set to “yes” AND appnames is set “Violation”, all devices that are violating an app control policy will have the following details for each app included in reports. 1. AppNum 2. AppName 3. AppControl Policy (not available in Core 9.0 and above) 4. AppControl Type Syslog messages will have additional strings “appcontrolapp=appname,appcontrolpolicyname,appcontroltype” added to the end of the syslog message for each app violating the app control policy for the device.When appcontroldetails is set to “yes”, all devices violating app control rules will have each violating app’s information appended to push, SMS and email messages.	Example: appcontroldetails=yes
variablealias	This key specifies if aliases will be substituted for device detail names. The device detail to alias mapping must in an INI file. This allows detail names to be changed in reports to an alias that is more intuitive. For example the value name "security_state" can be changed to "compromised_status". The name of the INI file is indicated in the setting variablealiaslist.	Example: variablealias=yes Default: variablealias=no
variablealiaslist	This key specifies the name of the device detail to alias mapping INI file. The INI file must reside in the current working directory. If it is not, you much specify the full file path surrounded by double quotes. The device detail to alias mapping must be located under an INI section called [alias]. The device detail name is the INI key and the alias is the key value. [alias] security_state=compromised_status principal=username	Examples: variablealiaslist=assemble_alias.inivariablealiaslist= "C:\assemble\assemble_alias.ini"
valuetranslate	This key specifies if device detail values will be translated into other values. This allows values that may be confusing to read to be translated into a more human readable format. The device detail values to translated values mapping must in an INI file. The name of the INI file is indicated in the setting valuetranslatelist.	Example: valuetranslate=yes
valuetranslatelist	This key specifies the name of the device detail values to translated values mapping INI file. The INI file must reside in the current working directory. If it is not, you much specify the full file path surrounded by double quotes.	Examples: valuetranslatelist=assemble_translate.inivaluetranslatelist="C:\assemble\assemble_translate.ini"
wget	This key controls whether the Internet Explorer engine or wget is utilized to download all device details via the VSP API. There are rare instances when the API https://vsp/api/v1/dm/devices can return null characters in the XML response. The Internet Explorer engine cannot process null characters and will cause Assemble to receive incomplete information. Wget can process the null characters and once the raw XML file is downloaded, Assemble can strip the null characters from the XML file for correct processing of Assemble rules. If you believe you are encountering null characters in the XML returned by the API https://vsp/api/v1/dm/devices, set wget to “yes”. The default setting is wget=yes as of 8/24/2012. If you require wget to utilize a HTTP proxy server, you must set up an Windows environment variable before using wget. Type this at the command prompt: set http_proxy=http://proxy.myprovider.net:8080 This value will be used by wget for every Assemble run. If you need to clear the environment variable, type this at the command prompt:   set http_proxy=	Example: wget=yes
retry	This key specifies how many times Assemble will retry to connect to the VSP if the VSP is not responding or is responding with an error. The default retry setting is 20. Each retry pauses longer than the last to allow the VSP to recover if it is overloaded. After the last retry fails, Assemble will gracefully terminate and log the shutdown.	Example:retry=50
activesyncreport	This key specifies if Sentry ActiveSync device details will be exported into a CSV report. The default setting is “no”.	Example: activesyncreport = yes
activesyncappliedpolicy	This key specifies if the ActiveSyncDeviceOS ,ActiveSync-Device/User-Policy, DevicePerMailbox-ActiveSyncPolicy, ReportingSentryIP and RedirectURL for each device should be included in the report for each device. The default setting is “no”.Setting this key will cause generation of the report to be much longer because Assemble has to query the VSP GUI two times for each device to pull the ActiveSync policy information.	Example:activesyncappliedpolicy=yes
activesyncreportlocation	This key specifies the location of the CSV file in the local file system. The path must include the trailing backslash. The default value is “\”.	Example: activesyncreportlocation = C:\users\jsmith\
activesyncreportname	This key specifies the name of the CSV report. The default value is “MI_Assemble_ActiveSync_Report”.	Example: activesyncreportname = ActiveSyncReport
activesyncreporttimestamp	This key specifies if a date/time stamp should be added to the end of the report name at run time. The default value is “yes”.	Example: activesyncreporttimestamp = yes
activesync_username_emailaddress_ADtranslate	This key specifies if the MailboxID should be translated to an email address by performing an ActiveDirectory lookup up the user attribute “mail” for the MailboxID username.If an email address is found for the MailboxID in ActiveDirectory it is recorded in the file activesyncmailboxidemail.ini. This allows Assemble to skip the translation in future Assemble runs.Note: The key “ad_data” must be set to “yes” and the section [AD] must be created in the vsp.ini file using ad.exe to allow Assemble to connect to ActiveDirectory for lookups. See AD Connection and Authentication.	Example:activesync_username_emailaddress_ADtranslate=yes
activesyncreportmessage	This key specifies a custom string to be inserted into the column activesyncreportmessage. The default value is “MI VSP Activesync report message”.	Example: activesyncreportmessage = Daily ActiveSync Report
activesyncreportemail	This key specifies if the CSV report will be sent as an email attachment. The default value is “no”.	Example: activesyncreportemail = yes
activesyncreportFromAddress	This key specifies the From email address. The default is blank.	Example: activesyncreportFromAddress = [email protected]
activesyncreportToAddress	The key specifies the To email addresses. The default is blank.	Example: activesyncreportToAddress = [email protected], [email protected]
activesyncreportSubject	This key specifies the subject of the email. The default is MobileIron ActiveSync Report.	Example: activesyncreportSubject = Company X Daily ActiveSync Report
activesyncreportBody	The key specifies the body of the email. The default is blank.	Example: activesyncreportBody = This is a daily MobileIron ActiveSync report.
activesyncreportImportance	This key specifies the importance flag of the email. The default is Normal.	Example: activesyncreportImportance = Important
activesynchistory	This key specifies if ActiveSync device details should be recorded for comparison on later Assemble runs. The history is stored in activesynchistory.ini. The default is “no”.	Example:activesynchistory=yes
activesyncactionhistory	This key specifies if Assemble ActiveSync actions should be recorded for comparison on later Assemble runs. This history is stored in activesynchistory.ini. The default is “no”.	Example:activesyncactionhistory=yes
*label_importNOTE: The key requires all admin roles for Assemble and this function is supported for VSP 5.9 and above.	This key is used to programmatically create labels containing filters.See “label_csv” below for the CSV syntax used by Assemble to create the labels. Note: The import will not work if the label names already exist. This function must be able to create new label names. If the name of the label already exists, the function will fail. Updates to existing labels is not possible at this time.	label_import=yes
*label_csvNOTE: The key requires all admin roles for Assemble and this function is supported for VSP 5.9 and above.	This key is used with the key “label_import=yes”.The CSV can be created in Excel to make it easy to fill in all the desired details. Be sure to open the CSV in a text editor (e.g. NotePad++) to remove any unnecessary characters such as redundant double quotations once the information is saved as a CSV. Use the example below to understand the exact format of the CSV file. Do not include blank lines/carriage returns between CSV rows.The format for each line in the CSV is:labelname,labelprefix,labelfilter,labeldescriptionThe label prefix is optional and can be left empty.Example line with label prefix:SamsungDevices,Auto_,"common.platform" = "Android" AND "common.manufacturer" = "samsung" AND "common.retired" = false,my descriptionExample line without label prefix:SamsungDevices,,"common.platform" = "Android" AND "common.manufacturer" = "samsung" AND "common.retired" = false,my descriptionThe storename entry will be automatically appended to the labelprefix as the label name and to the airprintconfigurationprefix as the AirPrint configuration name.Example from Assemble log:LabelName: SamsungDevicesLabelPrefix: Auto_LabelFilter: "common.platform" = "Android" AND "common.manufacturer" = "samsung" AND "common.retired" = falseLabelDescription: desc1	label_csv=c:\assemble\label.csv
Assemble does not check the validity of the filter syntax. It is recommended to use the Core Advanced Search function on the Device page to create and test your filter. You can then copy and paste your filter into the CSV file. Remember to add the suffix “AND "common.retired" = false” to your query if you do not want to include retired devices in the filter. That hidden suffix is automatically added to filter strings in Advanced Search when the box “Exclude retired devices from search results” is checked.It is highly recommended to test this import with a CSV with a very small number of rows first to make the CSV formatting is correct before executing with a large number of rows. There is not a programmatic method for removing the labels. They must be removed via the Core administration GUI.Try to avoid commas in your label names, filters or descriptions. If you must use commas, set the key “delimiter” with a unique character such as “|” and use that character as a delimiterin your CSV file.
*airprint_importNOTE: The key required all admin roles for Assemble and this function is supported for VSP 5.9 and above.	This key is used for a very specific use case where a large number of unique Airprint configurations are needed and they need to applied to separate unique labels.Example:500 retails stores have their own AirPrint printer and only devices registered for each store should get their store’s AirPrint configuration. The devices in each store are registered with a username that contains the store number.An AirPrint configuration for each store can be created with a defined prefix and Assemble will add the store number to the end of the AirPrint configuration name. A label for each store can be created with a defined prefix and Assemble will add the store number to the end of the label name. The store label for each store will be applied to the AirPrint configuration for each store. A filter for each label is also created. The filter criteria should be created in the VSP Advanced Search screen with the filter syntax copy and pasted into the CSV along with and customizations.See “airprint_csv” below for the CSV syntax used by Assemble to create the AirPrint settings and labels. Note: The import will not work if the label names or AirPrint configuration names already exist. This function must be able to create new label and configuration names. If the name of the label or configuration already exists, the function will fail. Updates to existing configurations is not supported at this time.	airprint_import=yes
Example:Store Name: 1111Label Name: Label_1111AirPrint Configuration Name: AirPrint_1111It is highly recommended to test this import with a CSV with a very small number of rows first to make the CSV formatting is correct before executing with a large number of rows. There is not a programmatic method for removing the labels and configurations created with this import option. They must be removed via the VSP administration GUI which does support deleting labels and configurations in bulk.If an AirPrint configuration requires more than one AirPrinter entry, all the entries for the configuration must be included in a single CSV line with each entry’s airprintipaddress, airprintresourcepath and airprintdescription separated by a pipe symbol.Example:1111,Label_,"user.user_id" contains "store1111", store 1111 label,AirPrint_,Store 1111 Airprint Policy,10.0.47.121|10.0.47.122,Lexmark MS620dn| Lexmark MS630dn,Store 1111 AirPrint Printer1| AirPrint Printer2
*airprint_csvNOTE: The key required all admin roles for Assemble and this function is supported for VSP 5.9 and above.	This key is used with the key “airprint_import=yes”.The CSV can be created in Excel to make it easy to fill in all the desired details. Be sure to open the CSV in a text editor (e.g. NotePad++) to remove any unnecessary characters such as redundant double quotations once the information is saved as a CSV. Use the example below to understand the exact format of the CSV file. Do not include blank lines/carriage returns between CSV rows.The format for each line in the CSV is:storename,labelprefix,labelfilter,labeldescription,airprintconfigurationprefix,airprintconfigurationdescription,airprintipaddress,airprintresourcepath,airprintdescriptionExample:1111,Label_,"user.user_id" contains "store1111",store 1111 label,AirPrint_,Store 1111 Airprint Policy,10.0.47.121,Lexmark MS620dn,Store 1111 AirPrint Printer1112,Label_,"user.user_id" contains "store1112", store 1112 label,AirPrint_,Store 1112 Airprint Policy,10.1.33.121,Lexmark MS620dn,Store 1112 AirPrint Printer1113,Label_,"user.user_id" contains "store1113", store 1113 label,AirPrint_,Store 1113 Airprint Policy,10.1.35.121,Lexmark MS620dn,Store 1113 AirPrint Printer1114,Label_,"user.user_id" contains "store1114" store 1114 label,,AirPrint_,Store 1114 Airprint Policy,10.10.39.121,Lexmark MS620dn,Store 1114 AirPrint PrinterThe storename entry will be automatically appended to the labelprefix as the label name and to the airprintconfigurationprefix as the AirPrint configuration name.	airprint_csv=c:\assemble\airprint.csv
log_mifs**	This key specifies if the VSP MIFS log file should be downloaded. This function is utilized to send MIFS log entries as syslog messages. **NOTE: Enabling this function requires the VSP username and password have access to the MICS or System side of the VSP GUI.	Example: log_mifs=yes
log_mifs_age	This key specifies which of the log file entries to send via syslog based on the time stamp. The key represents the number of minutes in the past from the current run time of Assemble. If the key is set to 60 and the current time is 11:00 UTC, all log file entries from 10:00 to 11:00 UTC will match and be sent via syslog.	Example: log_mifs_age=60
log_mics**	This key specifies if the VSP MICS log file should be downloaded. This function is utilized to send MICS log entries as syslog messages. **NOTE: Enabling this function requires the VSP username and password have access to the MICS or System side of the VSP GUI.	Example: log_mics=yes
log_mics_age	This key specifies which of the log file entries to send via syslog based on the time stamp. The key represents the number of minutes in the past from the current run time of Assemble. If the key is set to 60 and the current time is 11:00 UTC, all log file entries from 10:00 to 11:00 UTC will match and be sent via syslog.	Example: log_mics_age=60
log_ldap**	This key specifies if the VSP LDAP log file should be downloaded. This function is utilized to send LDAP log entries as syslog messages. **NOTE: Enabling this function requires the VSP username and password have access to the MICS or System side of the VSP GUI.	Example: log_ldap=yes
log_ldap_age	This key specifies which of the log file entries to send via syslog based on the time stamp. The key represents the number of minutes in the past from the current run time of Assemble. If the key is set to 60 and the current time is 11:00 UTC, all log file entries from 10:00 to 11:00 UTC will match and be sent via syslog.	Example: log_ldap_age=60
log_mi**	This key specifies if the VSP MI log file should be downloaded. This function is utilized to send MI log entries as syslog messages. **NOTE: Enabling this function requires the VSP username and password have access to the MICS or System side of the VSP GUI.	Example: log_mi=yes
log_mi_age	This key specifies which of the log file entries to send via syslog based on the time stamp. The key represents the number of minutes in the past from the current run time of Assemble. If the key is set to 60 and the current time is 11:00 UTC, all log file entries from 10:00 to 11:00 UTC will match and be sent via syslog.NOTE: The MI log entries do not include a year in the timestamp. Because of this Assemble is set with specific assumptions. If the current month is January, February or March and the log entry month is October, November or December, Assemble will assume the log entry year is the current year minus 1. Otherwise Assemble will assume the log entry year is the current year.	Example: log_mi_age=60
log_syslogport	This key specifies the UDP port for sending MIFS log file entry syslog messages.	Example: log_syslogport=514
log_syslogserver	This key specifies the syslog server IP or FQDN for sending MIFS log file entry syslog messages.	Example: log_syslogserver=192.168.1.100
log_syslognotice	This key specifies the syslog notice level for sending MIFS log file entry syslog messages.	Example: log_syslognotice=security.info
log_syslogmessage	This key specifies a custom message sent with MIFS file entry syslog messages.	Example: log_syslogmessage=mifs_log
log_actionreason	This key specifies a second custom message sent with MIFS log file entry syslog messages.	Example: log_actionreason=MIFS_Log_Entry
ios_mdm_watchlist*	This key specifies if the “System - iOS MDM” Watchlist should be downloaded for creating a CSV report. *This key requires a user account with both the API role AND the roles Smartphones Inventory, Policies, Apps/File Catalogs and Smartphone Manager Settings	Example: ios_mdm_watchlist=yes
ios_mdm_location	This key specifies the location of the “System - iOS MDM” Watchlist report called iOS_MDM_Watchlist.csv.	Example: ios_mdm_location="C:\Assemble\reports\"
ios_enterpriseappstore_scepwatchlist*Note: This key has been deprecated. See the watchlist_af_policies later in this section for the new key.	This key specifies if the “System - iOS Enterprise AppStore SCEP” Watchlist should be downloaded for creating a CSV report. *This key requires a user account with both the API role AND the roles Smartphones Inventory, Policies, Apps/File Catalogs and Smartphone Manager Settings	Example: ios_enterpriseappstore_scepwatchlist =yes
ios_enterpriseappstore_scepwatchlist_locationNote: This key has been deprecated. See the watchlist_af_policies later in this section for the new key.	This key specifies the location of the “System - iOS Enterprise AppStore SCEP” Watchlist report called iOS_EnterpriseAppStore_SCEPWatchlist.csv.	Example: ios_enterpriseappstore_scepwatchlist _location="C:\Assemble\reports\"
label_report*	This key specifies if a label report should be created. The label report includes one row with details for each label. Under each label row, one row is inserted with details for each “Security & Policies” and “Apps & Files” policy that is a member of the label.The label report name is Label_Report_timestamp.csv.	Example:label_report=yes
label_report_location*	The key specifies the location of the label report for the key label_report.	Example:label_report_location=C:\ reports\
label_summary_report*NOTE: This label report is supported for Core 7.5 and higher.	This key specifies if a label summary report should be created. The label summary report includes the data columns listed below.Device, Policy, Config and Application columns are populated when there is associated data.The label report name is License_Summary_Report_CoreName_timestamp.csv. ² Label ID ² Label Name Label Description Label isStatis Label Criteria Label Device Count Label DeviceSpace ID Label DeviceSpace Name Label DeviceSpace Path Label Details Device Count Label Details User Count Label Details Policy Count Label Details Config Count Label Details Application Count Device DisplayName Device UserID Device PhoneNumber Device Status Device Owner Device UUID Device Platform Device PlatformName Label Policy ID Label Policy Name Label Policy Description Label Policy Status Label Config ID Label Config Name Label Config Description Label Application ID Label Application Name Label Application Platform Label Application Version	label_summary_report=yes
label_summary_report_location	² The key specifies the location of the label summary report for the key label_summary_report.	label_summary_report_location=c:\reports\
mdm_complete_log*	This key specifies if the MDM Log should be downloaded from the VSP to create a CSV report. This report shows the following information: ² command ² error modifiedAt phoneNumber priority requestData sendAttempts state   userName This report will attempt to download the last 999,999 log entries for the date range specified with “mdm_complete_startdate” and “mdm_complete_startdate”. However, if there are too many log entries for the date range the VSP may return an error. Adding the following settings in the section [RuleNum] may allow for large date ranges.   ie_resolvetimeout=1200000 ie_connecttimeout=1200000 ie_sendtimeout=1200000 ie_receivetimeout=1200000	mdm_complete_log=yes
mdm_complete_location*	This key specifies the location of the MDM Apply Redemption Code report called MDM_Log_Report_timestamp.csv.	Example:mdm_complete_location="C:\assemble\reports\"
mdm_complete_startdate*	The start date of MDM Log Entries. The start date time will be 00:00:00.This key is required when setting “mdm_complete_log=yes”	Example:mdm_complete_startdate="2013-03-21"
mdm_complete_enddate*	The end date of MDM Log Entries. The end date time will be 00:00:00.This key is required when setting “mdm_complete_log=yes”	Example:mdm_complete_enddate="2013-03-22"
log_browseall*	This key specifies if the Browse All Log should be downloaded from the VSP to create a CSV report. This report shows the following information: ² requestedat ² completedat ² status ² type ² objectType ² subjectName ² subjectType ² resultMessage ² reason ² principal ² requesterName ² requesterPrincipal   This report will attempt to download the last 999,999 log entries for the date range specified with all the startdatetime and enddatetime keys. However, if there are too many log entries for the date range the VSP may return an error. Adding the following settings in the section [RuleNum] may allow for large date ranges.   ie_resolvetimeout=1200000 ie_connecttimeout=1200000 ie_sendtimeout=1200000 ie_receivetimeout=1200000	Example:log_browseall=yes
log_browseall_location*	This key specifies the location of the MDM Apply Redemption Code report called BrowseAll_Log_Report_timestamp.csv.	Example:log_browseall_location=c:\assemble\reports\
log_browseall_requestedsince*	This key allows you to filter for entries starting X minutes ago until the current time.If this key is set, the following keys will be ignored. ² log_browseall_requestedat_startdatetime ² log_browseall_requestedat_enddatetime log_browseall_completedat_startdatetime log_bro wseall_completedat_enddatetime	log_browseall_requestedsince=1440
log_browseall_typefilter	This key allows filtering for specific event types. You can filter for multiple event type by separating them with a “:” character.Below is a list of the event types: ² ACTIVATE_POLICY ² ADD_APPSETTING ADD_DEVICE_SPACE ALERT APPLY_LABEL_TO_DEVICES APPLY_LABEL_TO_DEVICES CHANGE_OWNERSHIP DELETE_LABEL FIND FIND REGISTER_DEVICE REMOVE_LABEL_FROM_DEVICES RETIRE SEND_MESSAGE WAKEUP_DEVICE     Example use: [RuleNum] numberofrules=0 log_browseall=yes log_browseall_location=c:\assemble\reports\ log_browseall_requestedsince=1440 log_browseall_typefilter=CHANGE_OWNERSHIP:REGISTER_DEVICE	log_browseall_typefilter=CHANGE_OWNERSHIP:REGISTER_DEVICE
log_browseall_subjectnamefilter	This key allows filtering for specific subject names. You can filter for multiple event type by separating them with a comma. If the needed subject filter needed contains a comma, you can use any other delimiter by setting the key “delimiter” in the section [RuleNum].Example[RuleNum]numberofrules=0log_browseall=yeslog_browseall_location=c:\assemble\reports\log_browseall_requestedsince=1440log_browseall_subjectnamefilter=Signed-Out, System - iOS Enterprise AppStore SCEP	log_browseall_subjectnamefilter=Signed-Out, System - iOS Enterprise AppStore SCEP
log_browseall_requestedat_startdatetime*	The request start date/time of MDM Log Entries.This key is required when setting “log_browseall=yes”	Example:log_browseall_requestedat_startdatetime="2013-03-21 00:00:00"
log_browseall_requestedat_enddatetime*	The request end date/time of MDM Log Entries.This key is required when setting “log_browseall=yes”	Example:log_browseall_requestedat_enddatetime="2013-03-23 00:00:00"
log_browseall_completedat_startdatetime*	The complete start date/time of MDM Log Entries.This key is required when setting “log_browseall=yes”	Example:log_browseall_completedat_startdatetime="2013-03-21 00:00:00"
log_browseall_completedat_enddatetime*	The complete start date/time of MDM Log Entries.This key is required when setting “log_browseall=yes”	Example:log_browseall_completedat_enddatetime="2013-03-23 00:00:00"
mdm_redemption_log*	This key specifies if the MDM Apply Redemption Code log should be downloaded from the VSP to create a CSV report. This report shows which VPP tokens were sent with the following information: 1. Date/Time sent 2. Phone Number 3. Application Identifier 4. Redemption Code 5. Username Note: Currently, there is no way to definitively know which redemption codes that were handed out were not used (i.e. the user already owned the app). You can infer from the logs if a code is handed out multiple times in a row that it was not used. If a new code is handed out for the same app the next time a user requests it, that means the last code was used. *This key requires a user account with both the API role AND the roles Smartphones Inventory, Policies, Apps/File Catalogs and Smartphone Manager Settings	Example: mdm_redemption_log = yes
mdm_redemption _location	This key specifies the location of the MDM Apply Redemption Code report called iOS_MDM_VPP_Redemption.csv.	Example: mdm_redemption _location ="C:\Assemble\reports\"
mdm_redemption_days	This key specifies how many days of logs ending at the current date and time to request MDM Apply Redemption Code data.	Example: mdm_redemption_days=-250
mdm_erase_log*	This key specifies if the MDM Erase Device Log should be downloaded for creating a CSV report. *This key requires a user account with both the API role AND the roles Smartphones Inventory, Policies, Apps/File Catalogs and Smartphone Manager Settings This report shows which devices were sent wipe command and the state of the wipe. 1. Acknowledged 2. Administratively Cancelled 3. Internal error 4. Programatically Cancelled 5. Waiting - checkin pending	Example: mdm_erase_log=yes
mdm_erase_log_location	This key specifies the location of the MDM Erase Device Log report called mdm_erase_log.csv.	Example: mdm_erase_log_location="C:\Assemble\reports\"
*cert_log	This key specifies if Logs -> Certificate Log should be downloaded from the VSP to create a CSV report.The report contains the following information: 1. currentPhoneNumber2. emailAddress3. expiredAt4. firstName5. lastName6. id7. miLocalCAId8. phoneNumber9. principal10. settingDesc11. settingNameThe Cert Log report name is CertificateLog_Report_timestamp.csv.	Example:cert_log=yes
cert_log_devicestatus	This key will cross check the device ID against the devices in Core to extract the device UUID and status. This will add the following prefix columns to the report. ² deviceId ² deviceUUID deviceStatus	cert_log_devicestatus=yes
cert_log_issuerserial	This key will extact the Issuer Serial Number from each of the certificates’ content and add it to the report.This will add the following suffix column to the report · IssuerSerial	cert_log_issuerserial=yes
*cert_log_location	This key specifies the location of the Certificate Log report called CertificateLog_Report_timestamp.csv.	Example:cert_log_location=”c:\assemble\reports\”
*cert_log_filter	This key, when combined with “cert_log=yes”, allows for filtering certificate entries in Certificate Logs for a specific field name.Supported field names: · settingName This is the column “SCEP” in the Core UI Certificate Logs principal This is the column “User” in the Core UI Certificate Logs	cert_log_filter = "settingName"
*cert_log_filtervalue	This key specifies the value for the field set in “cert_log_filter” to match. The value must be an exact match.Multiple values can be listed as comma separated strings.NOTE: System SCEP setting names contain a leading space. Example: " System - iOS Enterprise AppStore SCEP"	cert_log_filtervalue = "SCEP-VPN-Wi-Fi"
*cert_log_filtervalue_source	This key specifies the value for the field set in “cert_log_filter” to match by reading the value(s) from a file. The values must be comma separated. Line feeds and carriage returns will be stripped when the file is read. The value must be an exact match.If cert_log_filtervalue_source is set, cert_log_filtervalue is ignored.NOTE: System SCEP setting names contain a leading space. Example: " System - iOS Enterprise AppStore SCEP"	cert_log_filtervalue_source = “c:\settingnames.csv”
*cert_log_filter2	This key, when combined with “cert_log=yes”, allows for filtering certificate entries in Certificate Logs for a specific second field name.The certificate action will only is filter and filter1 match.Supported field names: ² settingName This is the column “SCEP” in the Core UI Certificate Logs principal This is the column “User” in the Core UI Certificate Logs	cert_log_filter2 = "principal"
*cert_log_filtervalue2	This key specifies the value for the field set in “cert_log_filter” to match. The value must be an exact match.Multiple values can be listed as comma separated strings.NOTE: System SCEP setting names contain a leading space. Example: " System - iOS Enterprise AppStore SCEP"	cert_log_filtervalue2 = "user1,user4"
*cert_log_filtervalue2_source	This key specifies the value for the field set in “cert_log_filter” to match by reading the value(s) from a file. The values must be comma separated. Line feeds and carriage returns will be stripped when the file is read. The value must be an exact match.If cert_log_filtervalu2e_source is set, cert_log_filtervalue2 is ignored.NOTE: System SCEP setting names contain a leading space. Example: " System - iOS Enterprise AppStore SCEP"	cert_log_filtervalue2_source = "users.csv"
*cert_log_action	This key specified the action to take for certificates matching “cert_log_filter” and “cert_log_filtervalue”.The supported actions are: ² remove This is the same as choosing a certificate in Certificate Logs and then choosing the action “Remove”.	cert_log_action = "remove"
*besdevices_report	This key specifies if Users & Devices -> BES Devices should be downloaded from the VSP to create a CSV report.The report contains the following information: 1. besStatus2. carrier3. comment4. domain5. emailaddress6. id7. lastAction8. lastActionAt9. lastContactDate10. model11. phonenumber12. pin13. platform14. principal15. status16. userName17. uuidThe BES Devices report name is BESDevices_Report_timestamp.csv.	Example:besdevices_report=yes
*besdevices_report_location	This key specifies the location of the BES Devices report called BESDevices_Report_timestamp.csv.	Example:besdevices_report_location =c:\assemble\reports\
location_history_entries	This key specifies the number of past locations that will be saved in location_history.ini. When the limit is reached the oldest location is replaced with the newest location each time Assemble is run. Location History Report	Example: location_history_entries=100
vspdetails*	This key is set to “yes” for functions that require access to the VSP administration GUI. An example is the trigger “registeredon”. The device detail “Registered On” is not available in the API and must be pulled from the VSP administration GUI. *This trigger requires a user account with both the API role AND the roles Smartphones Inventory, Policies, and Smartphone Manager Settings.	Example: vspdetails=yes
*apps_files_reports	This key pulls information from “Apps & Files/App Settings” in the VSP GUI. It creates a separate report for each app setting entry. It includes information about them such as app setting name, type, description and labels. It also creates a separate line for each device the app setting is applied to via the labels. The information for each device includes model, email, manufacturer and linkStatus. The linkStatus indicates whether the setting is applied, pending or failed. The reports do not include app setting details.	Example: apps_files_reports=yes
*apps_files_reports_location	This key indicates where to place the “Apps&Files” reports. A separate report is created for each app setting. The report name will be “Apps_Files_Report_AppSettingName_datetimestamp.csv”.	Example: apps_files_reports_location=c:\reports\
*app_inventory_report	This key pulls information from “Apps & Files/App Inventory” in the VSP GUI. It creates a report containing all apps in the list. The CSV report exports the columns "name,bundle,count,platformType,dateFound".	Example:app_inventory_report=yes
*app_inventory_report_location	This key specifies the location of the “Apps & Files/App Inventory” report. The report name is AppInventory_timestamp.csv.	Example: app_inventory_report_location =c:\reports\
app_inventory_report_devicesNOTE: Supported in Core 9.0 and higher	This key will export the list of devices for each returned app in the App Inventory report.	app_inventory_report_devices=yes
*app_inventory_appthority	This key specifies if AppThority data available in the VSP it is added to the app inventory reports. Two additional columns will be added to the report. ² appRating ² appScore   This key is only relavent if the VSP has been setup to integrate with AppThority. See the VSP Admin Guide for details.	Example:app_inventory_appthority=yes
*pendingdevice_report	This key pulls the pending device report in All Smartphones. It contains information for each pending device including: ² UID ² Email Address Display Name First Name Last Name Phone Number Passcode Passcode Expiration	Example: pendingdevice_report=yes
*pendingdevice_report_location	² This key specifies where to place the pending device report. It will overwrite the any previous report in the same location. The name of the report is PendingDeviceReport.csv.	pendingdevice_report_location=C:\reports\
bulkimport	This key allows the import of CSV files to bulk register devices. The location of the CSV files are specified with the key “bulkimportlocation”. Assemble will read each CSV file in the specified location and register using each line in the CSV files. After the CSV files are read, each CSV file is renamed with the suffix “.bak” added. This ensures that the same CSV is not read and bulk registered again. Note: The CSV files cannot be opened and locked when Assemble is run or they cannot be renamed. If they are not renamed, the next Assemble run will create redundant registrations for all CSV file entries. A new log file called bulkimport_year_month_monthday_hour_minute.log will be created for each Assemble run. The log file will also be copied to the location specified in the key “bulkimportlocation”.See Bulk Register CSV Format for the bulk import CSV format.	Example: bulkimport=yes
bulkimportlocation	This key specifies the location of the CSV files used for bulk registration when the key “bulkimport” is set to “yes”. All CSV files in the location will be read. After they have been read, each CSV file is renamed with the suffix “.bak” added. This ensures that the same CSV is not read and bulk registered again. Note: The CSV files cannot be opened and locked when Assemble is run or they cannot be renamed. If they are not renamed, the next Assemble run will create redundant registrations for all CSV file entries.	Examples: bulkimportlocation="\\192.168.1.103\mobileiron\bulkimport\" OR bulkimportlocation="C: \mobileiron\bulkimport\"
bulkaction_ownership	This key specifies if change ownership command sent to Core should be performed on multiple devices at a time. If set to “no”, the change ownership commands will be sent to Core one device at a time (not recommended). The default setting is “yes”.	bulkaction_ownership=yes
bulkactionownership_max	If bulkaction_ownership=yes then this key specifies how many devices to include in a single bulk change ownership command to Core. This setting should not be higher than the default setting 200.	bulkactionownership_max=200
applylabel_count_limit	This key limits the number of devices matching Assemble rules with the action "applylabel" that will have the label in the rule applied. If "applylabel_count_limit" is set to 20 and there are 100 devices that match the rule, only the first 20 will have the label applied. The remaining 80 devices will only logged with the prefix "*EXCEEDED APPLYLABEL_COUNT_LIMIT*". This key is only used in rare use cases when the applying of labels needs to be slowly applied over multiple Assemble runs.	Example: applylabel_count_limit=20
retire_delete_count_limit	This key limits the number of retired devices matching Assemble rules with the action "delete" that will be deleted. If " retire_delete_count_limit " is set to 20 and there are 100 devices that match the rule, only the first 20 will be deleted.If a report is set to be created by the rule only the matching retired devices within the limit will be deleted, but all matching devices will be added to a report even those that exceed the limit.	retire_delete_count_limit=500
*roles_report	This key creates reports for authorized users and LDAP entities that include all VSP roles.NOTE: In Core 7.0 and higher, administrative roles are not listed because the “Users” page no longer contains those roles.	Example:roles_report=yes
*roles_report_location	This key specifies the location of the role reports. Two reports are created. 1. MobileIron_RolesReport_AuthorizedUsers_ timestamp.csv This reports contains the entries from the Authorized Users option in the User Management screen. 2. MobileIron_RolesReport_AuthorizedLDAPEntities_timestamp.csv This reports contains the entries from the LDAP Entities option in the User Management screen.	Example: roles_report_location=c:\reports\
roles_report_adcheck	This key adds a column “AD Account” to the AuthorizedUsers roles report which will have one of the following values. ² Disabled ² Enabled Local Missing If the account is an AD account, Assemble will check to see if the account is disabled, enabled or missing in AD.   NOTE: This requires Assemble to have a direct connection to Active Directory. See the section AD Connection and Authentication for details on how to set up the connection.	roles_report_adcheck = yes
roles_report_ldapdetails	This key will add additional data for the LDAP entities roles report. It will pull group members from Core for group objects. It will also pull group membership from Core for user objects. These are the same groups and users found by clicking “View Users” or “View Group” in the Core UI.The following columns are added to the LDAP enties report. ² firstName The first name for group members N/A for group membership   lastName The last name for group members N/A for group membership   accountName The account name for group members The group name for group membership   Email The email address for group members N/A for group membership   objectDN The user object distinguishedName for group members The group object distinguishedName for a group membership	roles_report_ldapdetails = yes
*config_sp_policies	The key creates a separate report for all policies in the Policies tab (Security & Policies pre-VSP 5.5) which includes all the policy configuration settings. Each report includes: ² PolicyName ² PolicyAppType PolicyProfileType PolicyDescription PolicyDeviceCount PolicyPendingCount   SettingNameX SettingValueX LabelNameX	config_sp_policies=all
*config_af_policies	The key creates a separate report for all policies in the Apps & Configs tab (Apps & Files pre-VSP 5.5) which includes all the policy configuration settings. Each report includes: ² AppsFilesPolicyName ² AppsFilesPolicyAppType ² AppsFilesPolicyDescription ² AppsFilesPolicyDeviceCount ² AppsFilesPolicyPendingCount ² SettingNameX ² SettingValueX ² LabelNameX	config_af_policies=all
*config_af_policies_type	When combined with “config_af_policies=all”, this key filters for the specified type of configuration. All configurations that match the type specified will be placed into a single CSV file rather than creating a separate CSV file for every configuration. All configuration settings will be included in the CSV, but label assignments for each configuration will not be included.Below are the configuration types: ² APPCONFIG ² APPENROLLMENTTOKEN APPPOLICY BROWSER CERTIFICATE DOCS DOCS_V2 EXCHANGE KIOSK MDM MDM_APP_CONFIG PROVISIONING_PROFILE RESTRICTION SAMSUNGCONTAINER SCEP SINGLESIGNON VPN WEBCLIP WEBCONTENTFILTER WIFI	Example: config_af_policies_type=PROVISIONING_PROFILE
*config_location	This key specifies the directory for the config_sp_policies and config_af_policies reports.	config_location=C:\assemble\reports\config\
*config_sp_policies_modification	The key creates a report for Modification History for policies in the Policies tab (Security & Policies pre-VSP 5.5). This includes the modification type (Creation or Modification), timestamp and user account that applied the modifiation. Each report includes: ² PolicyName ² ModificationType ² UpdatedAt ² UpdatedBy ²   The name of the report is Policies_Modifications_timestamp.csv. The report is placed in the directory set by the key config_location.   This key can be set to “all” to check all policies for creation/modification events. It can also be set with a list of specific policy names that are comma separated.	config_sp_policies_modification = allconfig_sp_policies_modification = NA_Security,NA_Lockdown
*config_sp_policies_modification_age	This key sets the age of the modifications to be included in the config_sp_policies_modification report. If the key is not set or it is set to “all”, all modifications will be included in the report.This key can be set with the number of past hour modifications to be included in the report. For example, if the key was set with 60 the report would only include policies that have been modified in the last 60 minutes.	config_sp_policies_modification_age = 1440
*config_sp_policies_modification_syslog	This key specified if the entries in the config_sp_policies_modification report should be forward via syslog messages immediately after the report is created.The syslog settings are pulled from the following keys. The settings for these keys are examples. Refer to the individual keys in the Assemble documentation for more information. ² log_syslogport=514 ² log_syslogserver= 192.168.1.100 log_syslognotice=security.info log_syslogmessage=PolicyLog log_actionreason=PolicyModificationCreation	config_sp_policies_modification_syslog = yes
*config_af_policies_modification	The key creates a report for Modification History for policies in the Apps & Configs tab (Apps & Files pre-VSP 5.5). This includes the modification type (Creation or Modification), timestamp and user account that applied the modifiation. Each report includes: ² PolicyName ² ModificationType ² UpdatedAt ² UpdatedBy ²   The name of the report is Configurations_Modifications_timestamp.csv. The report is placed in the directory set by the key config_location.   This key can be set to “all” to check all configurations for creation/modification events. It can also be set with a list of specific configuration names that are comma separated.	config_af_policies_modification = allconfig_af_policies_modification = NA_WiFi,NA_VPN
*config_af_policies_modification_age	This key sets the age of the modifications to be included in the config_af_policies_modification report. If the key is not set or it is set to “all”, all modifications will be included in the report.This key can be set with the number of past hour modifications to be included in the report. For example, if the key was set with 60 the report would only include policies that have been modified in the last 60 minutes.	config_af_policies_modification_age = 1440
*config_af_policies_modification_syslog	This key specified if the entries in the config_af_policies_modification report should be forward via syslog messages immediately after the report is created.The syslog settings are pulled from the following keys. The settings for these keys are examples. Refer to the individual keys in the Assemble documentation for more information. ² log_syslogport=514 ² log_syslogserver= ² 192.168.1.100 ² log_syslognotice=security.info ² log_syslogmessage=PolicyLog ² log_actionreason=PolicyModificationCreation	config_af_policies_modification_syslog = yes
* user_local_update	This key enables the automated updating of local user information.	user_local_update = yes
* user_local_trigger	When automating the update of local user information, this key indicates which of the local user data fields to match. If a field matches then the local user account will be updated.Supported triggers are: ² email ² emaildomain This trigger will look for email address and match the domain after the “@” symbol lastname principal	user_local_trigger = email
* user_local_value	When automating the update of local user information, this key indicates which value for the specified trigger to match. If a field matches then the local user account will be updated.	user_local_value = [email protected]
* user_local_csv	When automating the update of local user information, this key indicates if the lastName value to be matched and the replacement email address should be read from a CSV file rather than from user_local_value and user_local_replacevalue.Each lastname and email address combination should be comma seperated and on a separate line.Example CSV:Lastname1,[email protected],[email protected]: The option is only available when setting “user_local_trigger = lastname” or “user_local_trigger = email”.	user_local_csv = c:\assemble\userlastname_email.csv
*user_local_replacevariable	When automating the update of local user information, this key indicates which variable to update when there is a match.The two supported variables are: ² Email This will replace the full email address of the account. Emaildomain This will only replace the domain portion of the email address for the matching account.	user_local_replacevariable = email
* user_local_replacevalue	When automating the update of local user information, this key indicates what value to update the replacement variable with when there is a match.	user_local_replacevalue = [email protected]
appcatalogreportNOTE:Available in Core 9.0	This key enables the export of the list of apps on the App Catalog page in Core into a CSV report.	appcatalogreport=yes
appcatalogreport_nameNOTE:Available in Core 9.0	This key specifies the name for app catalog reports. The default name is “AppCatalog”.	appcatalogreport_name="CurrentAppCatalog"
appcatalogreport_locationNOTE:Available in Core 9.0	This key specifies the folder location for app catalog reports. The location of the report can also be passed as a command line argument by setting “appcatalogreport_location=%1”.The fourth command line argument will replace the %1.Example:assemble_v42.1.exe core.ini rules.ini test c:\assemble\reports\appcatalogreports\In the case above, the reports will be placed in the folder c:\assemble\reports\appcatalogreports\. Be sure to include the trailing slash for the location path.	appcatalogreport_location="C:\reports\"
appcatalogreport_timestampNOTE:Available in Core 9.0	This key indicates if a timestamp should be added to the end of the app catalog reports.	appcatalogreport_timestamp=noDefault setting:appcatalogreport_timestamp=yes
appcatalogreport_queryNOTE:Available in Core 9.0	This key specifies an optional search string. The string is used to fully or partially match application names.	appcatalogreport_query=anyconnect
appcatalogreport_platformNOTE:Available in Core 9.0	This optional key specifies a platform filter. Only one filter can be used. Each platform is represented by a single letter code. ² A = Android ² E = Windows I = iOS M = Windows Phone	appcatalogreport_platform=I
appcatalogreport_inhouseNOTE:Available in Core 9.0	This optional key specified a filter for public or inhouse applications. ² false = only return public applications ² true = only return inhouse applications	appcatalogreport_inhouse=false
appcatalogreport_devicesNOTE:Available in Core 9.0	This optional key will return the list devices with the app installed for each app in the report.	appcatalogreport_devices=yes
appcatalogreport_newpermissionsfilterNOTE:Available in Core 9.0	This key will only list the Android for Work apps with new permissions that require approval.When this key is set to ‘yes’, appcatalogreport_platform will be set to ‘A’ and appcatalogreport_inhouse will be set to ‘false’.	appcatalogreport_newpermissionsfilter=yes
appcatalogreport_emailNOTE:Available in Core 9.0	This key will email an app catalog report as an attachment. If the report is empty, no email will be sent.NOTE: SMTP setting must be specified in the same .ini file with your VSP/Core connection settings. See SMTP Connection and Authentication.	appcatalogreport_email="yes"
appcatalogreport_email_subjectNOTE:Available in Core 9.0	The subject for the app catalog report attachment report.	appcatalogreport_email_subject="New App Permissions Found"
appcatalogreport_email_bodyNOTE:Available in Core 9.0	The body for the app catalog report attachment report.	appcatalogreport_email_body="New app permissions found in attached report"
appcatalogreport_email_toaddressNOTE:Available in Core 9.0	The “To Address” for the app catalog report attachment report.	appcatalogreport_email_toaddress="[email protected]"
appcatalogreport_email_fromaddressNOTE:Available in Core 9.0	The “From Address” for the app catalog report attachment report.	appcatalogreport_email_fromaddress="[email protected]"
appcatalogreport_email_fromnameNOTE:Available in Core 9.0	The “From Name” for the app catalog report attachment report.	appcatalogreport_email_fromname="Jack Zarris"
appcatalogreport_email_importanceNOTE:Available in Core 9.0	The importance for the app catalog report attachment report.Key setting can be : ² High ² Normal ² Low	appcatalogreport_email_importance="High"
*appdistreport_androidNOTE:Not available in Core 9.0. Replaced by “appcatalogreport”.	This key enables the export of the list of Android apps in the App Distribution area of the VSP into a CSV report.The location of the report is specified by the key appdistreport_location. The name of the report is AppDistribution_Android_timestamp.csv. ² Note: The category column is only supported for VSP 5.8 and higher. For earlier versions this column will be blank.	appdistreport_android=yes
appdistreport_android_linkNOTE:Not available in Core 9.0. Replaced by “appcatalogreport”.	This key will add the link to the app in Google Play. There is no column header for link column.	appdistreport_android_link=yes
appdistreport_newpermissionsfilterNOTE:Not available in Core 9.0. Replaced by “appcatalogreport”.	This key will list the new permissions for Android For Work apps that have new permissions that require approval. ² PermissionsId ² PermissionsState ² PermissionsName PermissionsDescription	appdistreport_newpermissionsfilter=yes
*appdistreport_iosNOTE:Not available in Core 9.0. Replaced by “appcatalogreport”.	This key enables the export of the list of iOS apps in the App Distribution area of the VSP into a CSV report.The location of the report is specified by the key appdistreport_location. The name of the report is AppDistribution_iOS_timestamp.csv.Note: The category column is only supported for VSP 5.8 and higher. For earlier versions this column will be blank.	appdistreport_ios=yes
*appdistreport_symbianNOTE:Not available in Core 9.0. Replaced by “appcatalogreport”.	This key enables the export of the list of Symbian apps in the App Distribution area of the VSP into a CSV report.The location of the report is specified by the key appdistreport_location. The name of the report is AppDistribution_Symbian_timestamp.csv. ² Note: The category column is only supported for VSP 5.8 and higher. For earlier versions this column will be blank.	appdistreport_symbian=yes
*appdistreport_winmoNOTE:Not available in Core 9.0. Replaced by “appcatalogreport”.	This key enables the export of the list of WinMo apps in the App Distribution area of the VSP into a CSV report.The location of the report is specified by the key appdistreport_location. The name of the report is AppDistribution_MinMo_timestamp.csv.Note: The category column is only supported for VSP 5.8 and higher. For earlier versions this column will be blank.	appdistreport_winmo=yes
*appdistreport_webapplicationNOTE:Not available in Core 9.0. Replaced by “appcatalogreport”.	This key enables the export of the list of Web Applications in the App Distribution area of the VSP into a CSV report.The location of the report is specified by the key appdistreport_location. The name of the report is AppDistribution_WebApplication_timestamp.csv.Note: The category column is only supported for VSP 5.8 and higher. For earlier versions this column will be blank.	appdistreport_webapplication =yes
*appdistreport_windowsphoneNOTE:Not available in Core 9.0. Replaced by “appcatalogreport”.	This key enables the export of the list of Windows Phone apps in the App Distribution area of the VSP into a CSV report.The location of the report is specified by the key appdistreport_location. The name of the report is AppDistribution_WindowsPhone_timestamp.csv.Note: The category column is only supported for VSP 5.8 and higher. For earlier versions this column will be blank.	appdistreport_windowsphone =yes
*appdistreport_windowsprortNOTE:Not available in Core 9.0. Replaced by “appcatalogreport”.	This key enables the export of the list of Windows Pro/RT apps in the App Distribution area of the VSP into a CSV report.The location of the report is specified by the key appdistreport_location. The name of the report is AppDistribution_WindowsProRT_timestamp.csv.Note: The category column is only supported for VSP 5.8 and higher. For earlier versions this column will be blank.	appdistreport_windowsprort =yes
*appdistreport_locationNOTE:Not available in Core 9.0. Replaced by “appcatalogreport”.	This key specifies the folder location for all app distribution reports. The location of the report can also be passed as a command line argument by setting “appdistreport_location=%1”.The fourth command line argument will replace the %1.Example:assemble_v28.9.exe vsp.ini rules.ini test c:\assemble\reports\appdistreports\In the case above, the reports will be placed in the folder c:\assemble\reports\appdistreports\. Be sure to include the trailing slash for the location path.	appdistreport_location="C:\reports\"
*appdistreport_timestampNOTE:Not available in Core 9.0. Replaced by “appcatalogreport”.	This key indicates if a timestamp should be added to the end of the app distrubution reports.	appdistreport_timestamp=noDefault setting:appdistreport_timestamp=yes
appdistreport_newpermissionsfilter*Supported in Core 8.0 and higherNOTE:Not available in Core 9.0. Replaced by “appcatalogreport”.	This key filters for apps where “New Permissions” is true or false. This is only applicable for Android apps. All other app types will always show as ‘false’.	appdistreport_newpermissionsfilter=true
appdistreport_devicesNOTE:Not available in Core 9.0. Replaced by “appcatalogreport”.	This key will add a row for each installed device for the app with the following columns. ² DeviceSpaceID ² DeviceSpacePath ² DeviceID ² DeviceModel ² DeviceName ² DeviceOS ² DevicePhoneNumber ² DevicePlatform ² DevicePrincipal ² DeviceUsername ² DeviceUUID ² DeviceVersion DeviceVPPAccountName	appdistreport_devices=yes
*appdistreport_combineNOTE:Not available in Core 9.0. Replaced by “appcatalogreport”.	² This key indicates if the multiple app distribution reports should be combined into one report. If this key is set with “yes”, the individual reports will be combined into one and the individual reports will then be deleted.	appdistreport_combine=yes   Default setting: appdistreport_combine=no
*appdistreport_combinenameNOTE:Not available in Core 9.0. Replaced by “appcatalogreport”.	When appdistreport_combine equals “yes”, a custom name can be set for the combined app distrubution report. The default name is “AppDistribution_Combined”.	appdistreport_combinename=“VSP1_FullAppDistrubution_Report”Default:appdistreport_combinename=“AppDistribution_Combined”
appdistreport_emailNOTE:Not available in Core 9.0. Replaced by “appcatalogreport”.	This key will email a combined app distribution report as an attachment. This will only work in combination with “appdistreport_combine=yes”.If the report is empty, no email will be sent.NOTE: SMTP setting must be specified in the same .ini file with your VSP/Core connection settings. See SMTP Connection and Authentication.	appdistreport_email="yes"
appdistreport_email_subjectNOTE:Not available in Core 9.0. Replaced by “appcatalogreport”.	² The subject for the app distrubution report attachment report.	appdistreport_email_subject="New App Permissions Found"
appdistreport_email_bodyNOTE:Not available in Core 9.0. Replaced by “appcatalogreport”.	The body for the app distrubution report attachment report.	appdistreport_email_body="New app permissions found in attached report"
appdistreport_email_toaddressNOTE:Not available in Core 9.0. Replaced by “appcatalogreport”.	The “To Address” for the app distrubution report attachment report.	appdistreport_email_toaddress="[email protected]"
appdistreport_email_fromaddressNOTE:Not available in Core 9.0. Replaced by “appcatalogreport”.	The “From Address” for the app distrubution report attachment report.	appdistreport_email_fromaddress="[email protected]"
appdistreport_email_fromnameNOTE:Not available in Core 9.0. Replaced by “appcatalogreport”.	The “From Name” for the app distrubution report attachment report.	appdistreport_email_fromname="Jack Zarris"
appdistreport_email_importanceNOTE:Not available in Core 9.0. Replaced by “appcatalogreport”.	The importance for the app distrubution report attachment report.Key setting can be : ² High ² Normal ² Low	appdistreport_email_importance="High"
ie_resolvetimeout	Maximum time allowed to use when resolving a host name, such as brugbart.com, to an ip addressThe setting is expressed in milliseconds. The default setting is 600000.	Example:ie_resolvetimeout=120000
ie_connecttimeout	Maximum time allowed to spend when connecting to a server, if a server does not respond within this time, the connection is dropped.The setting is expressed in milliseconds. The default setting is 600000.	Example:ie_connecttimeout=120000
ie_sendtimeout	Timeout for individual packets. Larger packets are normally broken up into multiple smaller packets.The setting is expressed in milliseconds. The default setting is 600000.	Example:ie_sendtimeout=120000
ie_receivetimeout	Timeout for incoming packets. Again, larger packets are normally broken into multiple smaller ones.The setting is expressed in milliseconds. The default setting is 600000.	Example:ie_receivetimeout=120000
ie_connecttimeout	Maximum time allowed to spend when connecting to a server, if a server does not respond within this time, the connection is dropped.The setting is expressed in milliseconds. The default setting is 600000.	Example:ie_connecttimeout=120000
ie_sendtimeout	Timeout for individual packets. Larger packets are normally broken up into multiple smaller packets.The setting is expressed in milliseconds. The default setting is 600000.	Example:ie_sendtimeout=120000
ie_receivetimeout	Timeout for incoming packets. Again, larger packets are normally broken into multiple smaller ones.The setting is expressed in milliseconds. The default setting is 600000.	Example:ie_receivetimeout=120000
*appdistreport_location	This key specifies the folder location for all app distribution reports.	appdistreport_location="C:\reports\"
unicode*This key has been deprecated in Assemble 15.9 and higher. It is no longer necessary. All reports in UTF8 format and support unicode characters.	This setting specifies if reports should be written in unicode rather than the default ANSI format.If unicode is set to “yes” then wget must also be set to “yes” or not included in the [RuleNum] section because the default setting is “yes”. If unicode is set to “yes”, wget will be automatically switched to “yes” if it is set to “no”.If unicode is set to “yes” unicode_setting is set to “128” by default. It is not recommended at this time to set unicode_setting to any other value with one exception.When updating or creating AppControl rules, if character such as squared (e.g. "Office²") or registered trademark (e.g. "SLII®") are used in app names, set unicode_setting=0 in the section [RuleNum].	unicode=yes
unicode_setting	This setting should not be changed unless recommended by MobileIron support. The default setting is “128” to support unicode characters.	unicode_setting=0
*watchlist_sp_policies	This key exports basic information for each Security&Policies policy in addition to details for all devices on each policy’s watchlist. The only key value possible is “all”. In a later release listing of specific policies to export will supported.The CSV name is Watchlist_Security_timestamp.csv.	Example:watchlist_sp_policies=all
*watchlist_sp_policies_push	The key specifies which policies in the Policies tab should be pushed to devices on the the policy Watchlist. The policies should be comma separated and surrounded with double quotes. If one or more policies have a comma in their name, use a different delimiter and specify the new delimeter with the key “delimiter” in the section [RuleNum].If all policies should be pushed if there are devices on the Watchlist, set “watchlist_sp_policies_push=all”The key “watchlist_sp_policies=all” must also be set. This will download a report and the column “PolicyPush” will indicate which policies were pushed to which devices.It is important to note that some policies will still show up as “Pending” or “Update Pending” even after the device has been forced to check in. Some policies will not fully take affect until the device’s next unlock by the user. This mainly affects iOS devices. Once the device is unlocked again, it should automatically check in to complete the policy application.	Examples:watchlist_sp_policies_push="Default AppConnect Global Policy,Default Security Policy,Default Docs@Work Policy"watchlist_sp_policies_push=all
*watchlist_af_policies	This key exports basic information for each Apps&Files policy in addition to details for all devices on each policy’s watchlist. Setting the key value to “all” will export the watchlist for all configurations. You can also specify one or more configuration names that are comma delimited.The CSV name is Watchlist_AppsFiles_timestamp.csv.	Example:watchlist_af_policies=allwatchlist_af_policies=CorpExchangeConfig
*watchlist_af_policies_push	The key specifies which policies in the Apps & Configs tab should be pushed to devices on the the policy Watchlist. The policies should be comma separated and surrounded with double quotes. If one or more policies have a comma in their name, use a different delimiter and specify the new delimeter with the key “delimiter” in the section [RuleNum].If all policies should be pushed if there are devices on the Watchlist, set “watchlist_af_policies_push=all”The key “watchlist_af_policies=all” must also be set. This will download a report and the column “PolicyPush” will indicate which policies were pushed to which devices.It is important to note that some policies will still show up as “Pending” or “Update Pending” even after the device has been forced to check in. Some policies will not fully take affect until the device’s next unlock by the user. This mainly affects iOS devices. Once the device is unlocked again, it should automatically check in to complete the policy application.	Examples:watchlist_af_policies_push=" System - Multi-User Secure Sign-In,Exchange Mobile-Iron"watchlist_af_policies_push=all
The following default policies have one leading space in their names. ² System - iOS Enrollment CA Certificate ² System - iOS Enrollment SCEP System - iOS Enterprise AppStore System - iOS Enterprise AppStore SCEP System - iOS MDM System - iOS MDM CA Certificate System - Multi-User Secure Sign-In     If you specify any of these policies, include the space in the name. Example:   watchlist_af_policies_push=" System - iOS Enrollment CA Certificate, System - Multi-User Secure Sign-In "
watchlist_location	The key specifies the location for watchlist_sp_policies and watchlist_af_policies CSV exports.	Example:watchlist_location=”c:\reports\”
appcontrol_newrule*	This key will create a new App Control policy. The policy name, type and entries are controlled by the next three keys appcontrol_newrule_name, appcontrol_newrule_type and appcontrol_newrule_entries.	Example:appcontrol_newrule=yes
appcontrol_newrule_name*	The key specifies the name of the new App Control policy name. If the name already exists, the policy will not be overwritten or replaced.	appcontrol_newrule_name=new_appcontrol_policy_name
appcontrol_newrule_type*	This key specifies the new App Control policy type. The three options are: ² White ² Black Mandatory	appcontrol_newrule_type=white
appcontrol_newrule_entries*	This key specifies the location of the CSV containing the rule entries for the new App Control policy. An example of the CSV format is contained in the file appcontrollist_example.csv that is in the Assemble zip starting in Assemble version 21.2. The format of each line of the CSV file is:AppSearchString,Operator (CONTAINS or IS),"DevicePlatform (0=All, I=iOS, A=Android, B=BlackBerrry, L=Mac OS X, M=Windows Phone 8)",CommentThe example string above can be left in the CSV as line one. Assemble will ignore it.In Core 7.5 and higher, different operators are utilized.Use this instead: AppSearchString,Operator (IDENTIFIER EQUALS or IDENTIFIER CONTAINS or IS MS STORE GUID or NAME CONTAINS or NAME EQUALS),"DevicePlatform (0=All, I=iOS, A=Android, B=BlackBerrry, L=Mac OS X, M=Windows Phone 8)",Comment Example (any line containing AppSeachString is ignored): AppSearchString,Operator (IDENTIFIER EQUALS or IDENTIFIER CONTAINS or IS MS STORE GUID or NAME CONTAINS or NAME EQUALS),"DevicePlatform (0=All, I=iOS, A=Android, B=BlackBerrry, L=Mac OS X, M=Windows Phone 8)",Comment appstring1,IDENTIFIER EQUALS,I,comment1 appstring2,IDENTIFIER CONTAINS,I,comment2 appstring3,IDENTIFIER CONTAINS,A,comment3 appstring4,IDENTIFIER EQUALS,A,comment4 appstring5,NAME CONTAINS,I,comment5 appstring6,NAME EQUALS,I,comment6 appstring7,NAME CONTAINS,A,comment7 appstring8,NAME EQUALS,A,comment8 10f2995d-1f82-4203-b7fa-46ddbd07a6e6,IS MS STORE GUID,M,comment9	appcontrol_newrule_entries=" C:\assemble\appcontrollist_example.csv"
appcontrol_updaterule*	This key will update an existing App Control policy. The policy name, type and entries are controlled by the next two keys appcontrol_updaterule_name and appcontrol_newrule_entries.	appcontrol_updaterule=yes
appcontrol_updaterule_name*	The key specifies the name of the App Control policy name that will be updated. The policy name must already exist.	appcontrol_updaterule_name=jackrule2
appcontrol_updaterule_entries*	This key specifies the location of the CSV containing the rule entries to be added to the existing App Control policy. An example of the CSV format is contained in the file appcontrollist_example.csv that is in the Assemble zip starting in Assemble version 21.2. The format of each line of the CSV file is:AppSearchString,Operator (CONTAINS or IS),"DevicePlatform (0=All, I=iOS, A=Android, B=BlackBerrry, L=Mac OS X, M=Windows Phone 8)",CommentThe example string above can be left in the CSV as line one. Assemble will ignore it.In Core 7.5 and higher, different operators are utilized.Use this instead: AppSearchString,Operator (IDENTIFIER EQUALS or IDENTIFIER CONTAINS or IS MS STORE GUID or NAME CONTAINS or NAME EQUALS),"DevicePlatform (0=All, I=iOS, A=Android, B=BlackBerrry, L=Mac OS X, M=Windows Phone 8)",Comment Example (any line containing AppSeachString is ignored): AppSearchString,Operator (IDENTIFIER EQUALS or IDENTIFIER CONTAINS or IS MS STORE GUID or NAME CONTAINS or NAME EQUALS),"DevicePlatform (0=All, I=iOS, A=Android, B=BlackBerrry, L=Mac OS X, M=Windows Phone 8)",Comment appstring1,IDENTIFIER EQUALS,I,comment1 appstring2,IDENTIFIER CONTAINS,I,comment2 appstring3,IDENTIFIER CONTAINS,A,comment3 appstring4,IDENTIFIER EQUALS,A,comment4 appstring5,NAME CONTAINS,I,comment5 appstring6,NAME EQUALS,I,comment6 appstring7,NAME CONTAINS,A,comment7 appstring8,NAME EQUALS,A,comment8 10f2995d-1f82-4203-b7fa-46ddbd07a6e6,IS MS STORE GUID,M,comment9	appcontrol_updaterule_entries="C:\assemble\appcontrollist_example.csv"
*sendappmessageNOTE: Apps must be set as Featured to send push messages and prompts to install. Messages and prompts are only sent to devices that are members of one or more of the labels assigned to the app.	This key enables Assemble to send an app installation request to iOS devices. This is the same as clicking the “Message” button in the App Distribution Library screen in the VSP. Depending on the other Assemble “sendappmessage” options, iOS devices will be sent messages about a new app install or upgrade. iOS5 and higher devices can be automatically prompted to install or upgrade an app. iOS5 and higher devices in Supervisor Mode can have apps silently installed or updated.	sendappmessage=yes
*sendappmessage_appnames	This key specifies which apps should have install/update messages sent. The app names can usually be cut and paste from the iOS App Catalog screen. If the app has special characters, they may not match correctly. If this occurs, check the Assembe log for the app name returned by the VSP.Example:The app name “PocketCloud Remote Desktop Pro - RDP / VNC / View” does not match correctly. In the Assemble logs, you can find the correct string to use for app name matching2013-11-12 07:54:38 : AppName: Web@Work2013-11-12 07:54:38 : AppName: Accellion2013-11-12 07:54:38 : AppName: Evernote2013-11-12 07:54:38 : AppName: PocketCloud Remote Desktop Pro - RDP / VNC / View2013-11-12 07:54:38 : AppName: GoodReader for iPhone2013-11-12 07:54:38 : AppName: Salesforce ChatterMultiple app names can be specified in a comma separated format. If there are commas in any of the app names, you can use a different delimiter such as “|”. If you change the delimiter, set the key “delimiter”. For instance, if you want to use “|” as a delimiter use “delimiter=|”.For app messages to be pushed to devices, each app must be set as featured in the app settings.	sendappmessage_appnames=Cisco AnyConnect,Apps@Work,Adobe Reader
*sendappmessage_appversions	For every app name, there must be an accompanying app version. If there are multiple app versions in iOS App Distribution, this allows control over which version is used to send the app message. If there is only one version, set the version to “any”.	sendappmessage_appversions=any,1.0.2,any
*sendappmessage_installincluded	This key pushes messages to devices that do not yet have the app installed. It is the same as checking “Send request for new installations” for the Send App Installation Request in the VSP.	sendappmessage_installincluded=true
*sendappmessage_updateIncluded	This key pushes messages to devices have the app installed but are not on the latest version. It is the same as checking “Send request for updates” for the Send App Installation Request in the VSP.	sendappmessage_updateIncluded=true
*sendappmessage_pushApp	This key pushes a prompt to install or upgrade the app to iOS5 or higher devices. It is the same as checking “Use iOS managed app install/update action (iOS5 and later)” for the Send App Installation Request in the VSP.If the iOS device is in Supervisor Mode, the install or upgrade will be silent with no prompt.	sendappmessage_pushApp=true
sendappmessage_convertToManagedNOTE: This setting only works for Core 9.0 and higher.	This key switches a pushed app from an unmanaged app to an managed app if the following setting has been enabled for the app in the App Catalog. ² Allow conversion of apps from unmanaged to managed in Apps@Work (iOS 9 or later).   If the setting has not been enabled, the app will be ignored and will not be pushed to devices.	sendappmessage_convertToManaged=true
vsp_ui_port	If you have changed the default port for the Core admin portal from 443 to a custom port, you must set vsp_ui_port with the new custom port number. Assemble will then use the new port number for all interactions with the UI or V2 APIs. Assemble will continue to use port 443 for V1 API interactions because the V1 API port cannot be changed in Core.	Example:vsp_ui_port=8443
vsp_api_port	This key is a placeholder to allow use of a custom port for V1 API interactions. At this time the V1 API port cannot be changed from the default setting of 443.

 

*NOTE: This key requires a user account with both the API role AND the roles Smartphones Inventory, Policies, Apps/File Catalogs and Smartphone Manager Settings

**NOTE: Enabling this function requires the VSP username and password have access to the MICS or System side of the VSP GUI.

Section: [RuleX]

This section defines the details for one rule.

Key	Description	Values
NumberofElements	The number of elements for the rule.	1-20 Example: numberofrules=4
Action	The action for the rule.	applylabel:labelname removelabel:labelname lock retire wipe syslog report activesync:block,reinstate or wipe Example: Action=applelabel:weekdaylabel
ActionReason	The reason for the action. This reason is included in the logs and also optionally sent to the VSP for the actions Wipe and Retire.	Any description Example:ActionReason=applying labels only to iPads
ActionMulti	This key can be used to specify additional actions to be taken against matching devices. The key “Action” must still be set as the primary action. The key “ActionMulti” supports all actions except those below. sendmessage reporting syslog alternative actions push profile	Example: ActionMulti=applylabel:testlabelapply,applylabel:testlabel_match
ActionNonMatch	The action for the rule if the device does not match for any reason. This key provides a method to apply an action for devices that do not match the rule.   WARNING: This should be tested before executing Assemble in run mode because device can not match rules due to device details that are missing or “NotFound”.	Example: ActionNonMatch=removelabel:testlabelapply
ActionNonMatchReason	The reason for the non-match action. This reason is included in the logs for non-matched devices and also optionally sent to the VSP for the actions Wipe and Retire.	Any description Example:ActionReason=applying labels only to iPads
ActionNonMatchMulti	This key can be used to specify additional actions to be taken against non-matching devices. The key “ActionNonMatch” must still be set as the primary non-match action. The key “ActionNonMatchMulti” supports all actions except those below. sendmessage reporting syslog alternative actions push profile	Example: ActionNonMatchMulti=applylabel:testlabelapply,applylabel:testlabel_NONmatch
Wakeup	If there is a match of all elements, the device should or should not be send a command to check in with VSP. This setting is not applicable for Wipe and Retire actions.	no yes Example: Wakeup=yes
Wakeupalt	When combined with “wakeup=yes”, this key will send a wakeup command for matching devices via the administration GUI instead of using the V1 API. There are differences in the backend functions called by the V1 API wakeup command and the “Force Device Check-in” that may require setting this option.   The default setting is “no”.	Example wakeupalt=yes
deleteuser	This key indicates if the username (principal) of the device should be deleted from User Management on the VSP.   This function only works in conjunction with the action “retire” because a user account cannot be deleted while a device is registered under the username.   This is meant to be used to clean up the VSP user list when devices are retired.	yes no   deleteuser = yes
SendMessage	If there is a match of all elements, the device should or should not be sent a custom push notification message (APNS for iOS or C2DM for Android). This setting is not applicable for Wipe and Retire actions.	no yes Example: SendMessage=yes
SendMessageText	If there is a match of all elements and SendMessage is set to "yes", this message will be sent to the device.   NOTE: iOS push messages are limited to 125 characters. Messages with more than 125 characters will be sent to Apple’s messaging gateway but will be dropped and not sent to iOS devices.	Any message Example: SendMessageText=Your device is in US
SendMessageSMS	If there is a match of all elements, the device should or should not be sent a custom SMS message. This setting is not applicable for Wipe and Retire actions.   *Note: There is an outstanding bug in VSP 4.5.4 with the API that sends SMS messages. The API sends the SMS message and an email to the address associated with the device with no email subject.	no yes Example: SendMessageSMS=yes
SendMessageSMSText	If there is a match of all elements and SendMessageSMS is set to "yes", this message will be sent to the device.	Any message Example: SendMessageSMSText=Your device is in US
SendMessageEmail	If there is a match of all elements, the device should or should not be sent a custom email message. The email is sent to the address assoctiaed with the registered user of the device. This setting is not applicable for Wipe and Retire actions.   The email message is sent via the VSP API.	no yes Example: SendMessageEmail=yes
SendMessageEmailText	If there is a match of all elements and SendMessageEmail is set to "yes", this text will be sent to the device in the email body.	Any message Example: SendMessageEmailText =Your device is in US
SendMessageEmailSubject	If there is a match of all elements and SendMessageEmail is set to "yes", this text will be sent to the device in the email subject.	Any subject Example: SendMessageEmailSubject =Device is in US
SendMessageSMTPEmail	If there is a match of all elements, the device should or should not be sent a custom email message. The email is sent to the address assoctiaed with the registered user of the device. This setting is not applicable for Wipe and Retire actions.   The email message is sent via the SMTP settings in the vsp.ini file.   The following keys must also be set: sendmailFromName sendmailFromAddress	no yes Example: SendMessageSMTPEmail=yes
SendMessageSMTPEmailText	If there is a match of all elements and SendMessageEmail is set to "yes", this text will be sent to the device in the email body.   The text of the email can be specified in the key value or a file can be used with the email body text in plain text or html. If a file is used, use the format “filelocation;filepath”. Use a semicolon to separate the work filelocation and the path to the file.	Any message Example:   SendMessageSMTPEmailText =Your device is in US   Example: SendMessageSMTPEmailText = filelocation;c:\assemble\emailbody.txt
SendMessageSMTPEmailSubject	If there is a match of all elements and SendMessageEmail is set to "yes", this text will be sent to the device in the email subject.	Any subject Example: SendMessageSMTPEmailSubject =Device is in US
SendMessageSMTPEmailSubjectPrefix	This allows disabling the default subject prefix which adds the matching device model to the beginning of the email subject.	SendMessageSMTPEmailSubjectPrefix=no
SendMessageSMTPEmailText_variables	If SendMessageSMTPEmailText is set to read from a file (e.g. SendMessageSMTPEmailText = filelocation;c:\assemble\emailbody.txt) this key will parse the file text for device detail names surrounded by curly brackets (e.g. {UserDisplayName}) and replace them with the matching device’s detail with the same name.   Assemble will consider any string inside the curly brackets to be a variable to replace.  If the variable string doesn’t match any known device detail it will return 0.  If the variable string is a known device detail, but the device does not have a setting for that detail (e.g. Serialnumber for Android) it will return NotFound.	SendMessageSMTPEmailText_variables=yes
syslogmessage	This key sets the custom syslog message portion of the syslog string. The default value is “MI VSP syslog message.”	Any string is accepted. Equal symbols should be avoided. Example: syslogmessage=Device Compromised
syslognotice	This key sets the syslog priority. The priority may be specified numerically or as a “facility.level” pair. For example, “-p local3.info” logs the message(s) as informational level in the local3 facility.	Valid facility names are: auth, authpriv (for security information of a sensitive nature), cron, daemon, ftp, kern, lpr, mail, news, security (deprecated synonym for auth), syslog, user, uucp, and local0 to local7, inclusive. Valid level names are: alert, crit, debug, emerg, err, error (deprecated synonym for err), info, notice, panic (deprecated synonym for emerg), warning, warn (deprecated synonym for warning). The default is “security.notice.” Example: syslognotice=syslog.crit
syslogvar	This key indicates which device details to append to the syslog message. The device details must be comma separated with no spaces. The default value is “uuid,principal,manufacturer,ModelName,device_model,compliance.”   Any device detail can be used, but any details with white space must have the white space removed (i.e. “iPhone UDID” should be changed to “iPhoneUDID”.	Any comma separated device details. Example: syslogvar= uuid,principal,manufacturer,ModelName,device_model,compliance   Special variables: When utilizing the trigger app:managed|unmanaged|installed|notinstalled|any the follow variables can be utilized: apps_managedstatus: adds the app name and managed/unmanaged status apps_version: adds the app version apps_name: adds the name of the matching app apps_managed: adds only the managed status of the app apps_bundle: adds the bundle name of the matching app (requires setting appnames_verbose=yes in the section [RuleNum]   When ad_data = yes in the rules file the following variables can be utilized: ad_device_dn: adds the device user’s AD distinguished name ad_device_uac: adds the device user’s AD userAccessControl information ad_device_samaccountname: adds the device user’s AD sAMAccountname ad_device_member of: adds the device user’s AD group memberships ad_device_department: add the device user’s AD deparment ad_device_employeeid: add the device user’s employeeid attribute value   ad_pass_expire_days: the number of days until the user’s account password will expire and need to be changed. ad_custom1: See section [RuleNum] and the key ad_custom1_attribute for customizing this attribute lookup. ad_custom2: See section [RuleNum] and the key ad_custom2_attribute for customizing this attribute lookup. ad_custom3: See section [RuleNum] and the key ad_custom3_attribute for customizing this attribute lookup. ad_custom4: See section [RuleNum] and the key ad_custom4_attribute for customizing this attribute lookup. ad_custom5: See section [RuleNum] and the key ad_custom5_attribute for customizing this attribute lookup.   The variable “lat_long_last_captured_at” is represented in epoch time. Two special variables translate that time into UTC and local time. device_location_capturetime_utc device_location_capturetime_local
		The variable “lastconnectedat” is UTC time in the format “2013-01-18T21:13:13”. Two special variables translate that time into a common US format for UTC and local time. · lastconnectedat_utc · lastconnectedat_local The variable “last_security_state_changed_on” is UTC time in the format “2013-01-18 21:13:13”. A special variable translates that to local time. ² last_security_state_changed_on_local The following variable will insert the date/time the report was run in the format “year/month/day hour:minute:second” · timestamp The variable “ios_app_connected” is the number of hours since Mobile@Work on iOS last connected to Core. A special variable translates that to local time. ios_app_connected_timestamp
reportsend	This key specifies if a report should be created if there is a Boolean match of all grouped decision elements for the device. The default value is “no”.	no yes Example: reportsend=yes   Default is “no”
reportcsv_to_xls	This key specifies if the CSV report should be copied and converted to XLS format. The original CSV report will not be deleted. If reportemail is also set to “yes” the XLS report will be emailed as an attachment and not the CSV report.	no yes Example: reportcsv_to_xls=yes   Default is “no”
reportname	This key specifies the report name. The following suffix will be added to the report name: Year_month_monthday_hour_minute_second.csv The default value is “MI_Assemble_Report”.   A prefix can passed from the command line and be added to the report name by adding “%1” to the front of the reportname value.   Example: reportname=%1MobileIron_DeviceReport   The command line variable to define the prefix is set in the optional fourth command line parameter.   Example: assemble_v16.3.exe vsp.ini rules.ini run CustomerX   Using these examples, the report name would be “CustomerX_MobileIron_DeviceReport_timestamp.csv”   If %1 is added to the front of the report name but no fourth command line parameter is set, the %1 will be stripped but not replaced.	Any string is accepted that does not contain illegal Windows file name characters. Example: reportname=MIReport_compromiseddevice
reportnametimestamp	This key indicates if a date/time stamp should be added to the end of the report name at run time.	no yes Example: reportnametimestamp=yes   The default is “yes”.
reportappend	This key indicates if the report should be appended. This would only be applicable if the report name is the same as a previous report and reportnametimestamp was set to “no” on the previous and current Assemble run.   The default value is “no” and a report with the same name will be overwritten.	Example:   reportappend=yes
reportheaders	This key indicates if report column headers should be added to reports.   The default value is “yes”.	Example:   reportheaders=no
reportlocation	This key specifies where the report will be created on the local machine’s directory. The location string must include the trailing “\”. The default is the working directory of Assemble at run time.	Any Windows file path that ends with a “\”. Example: reportlocation=C:\Users\jdoe\mobileironreports\
reportmessage	This key specifies message to be included in the custom row named “reportmessage” of the CSV report. The default message is “MI VSP report message”.	Any string is accepted. Avoid the use of commas. Example: reportmessage=MIReport_compromised device
reportvar	This key specifies which device details to include in the report. The device details must be comma separated with no spaces. The default value is “uuid,principal,manufacturer,ModelName,device_model,compliance.”   Any device detail can be used, but any details with white space must have the white space removed (i.e. “iPhone UDID” should be changed to “iPhoneUDID”.	See reportvar values
reportprofiledetails	This key is used together with the trigger “profile:profilename:statustring”. Together they allow reporting of matching profiles in reports.	no yes Example: reportprofiledetails=yes
reportelementvar	This key specifies whether to append the following element details: 1. Element Operator 2. Trigger 3. Operator 4. Distance 5. Distance Maximum Location Age The default value is “no”	no yes Example: reportelementvar = yes
reportremovedefaultcolumns	This key removes the first two columns “reportmessage” and “action” from the report.   The default setting is “no”.	Example: Reportremovedefaultcolumns=yes
reportcertificates	All the certificates that are currently applied to a matching iOS device can be added into reports. This key adds and populates the following certificates information columns to reports. CertNum Subject Issuer notBefore (in local time) notAfter (in local time) Version   Note: In order for the certificate headers to be generated, it is also necessary to set “certificatesreport=yes” in the section [RuleNum].   NOTE: This is for iOS devices only. Other operating systems will display N/A in each column.	no yes Example: reportcertificates =yes
reportlabels	All the labels that are currently applied to a matching device can be added into reports. This key adds and populates the following applied label information columns to reports. LabelNum LabelName LabelDescription LabelStatic LabelSearchCriteria LabelSearchCriteriaValue     Note: In order for the label headers to be generated, it is also necessary to set “labelsreport=yes” in the section [RuleNum].   If label has multiple filters, the label filter will not display properly.	no yes Example:reportlabels=yes
reportemptydelete	This key will delete reports generated during the Assemble run that are empty.   The default setting is “no”.	reportemptydelete=yes
reportemail	This key specified if a report should be emailed as an attachment.   The default is “no”	yes no   Example: reportemail = yes
reportemailemptyreport	This key specifies if an empty report should be emailed as an attachment. If set to “no”, an email will be sent with no attachment and the subject and body will be appended with “EMPTY REPORT”.   Example: Subject: “Compromised Report” changed to “Compromised Report:EMPTY REPORT” Body: “Compromised device report” changed to “Compromised device report” <carriage return> “=====Empty Report=====”   The default is “no”	yes no   Example: reportemailemptyreport=yes
reportemailemptyreportskip	If this key is set to “yes” and reportemailemptyreport is set to “no” (the default setting), then no email will be sent for an empty report.   The default is “no”.	yes no   Example: reportemailemptyreportskip=yes
sendmailFromName	Specified the name in the email message.	Example: sendmailFromName = MI Admin
sendmailFromAddress	Specifies the from email address.	Example: sendmailFromAddress = [email protected]
sendmailToAddress	Specifies the to addresses. Addresses must be comma separated.	Example: sendmailToAddress = [email protected]
sendmailSubject	Specifies the email subject.	Example: sendmailSubject = Compromised Devices
sendmailBody	Specifies the email body.   The text of the email can be specified in the key value or a file can be used with the email body text in plain text or html. If a file is used, use the format “filelocation;filepath”. Use a semicolon to separate the work filelocation and the path to the file.	Examples:   sendmailBody = List of compromised mobile devices.   sendmailBody = filelocation;c:\assemble\emailbody.txt
sendmailImportance	Specifies the importance setting for the message.	Normal High Low   Example: sendmailImportance = High
commentstring	This action edits the comment for the device in the VSP GUI.   The comment can also include an device variable values by setting the key “commentvar” in the [RuleNumX] section. Just like the key “reportvar”, any device variables can be included.   Example: commentstring=mycomment commentvar=principal,serialnumber   In this example, the comment string that will be added will be in the following format:   mycomment;jsmith;DNQJR80NDTTQ: 2013-04-19 10:54	commentstring=mycomment
commentvar	This key specifies which device details to include in the comment for a device when the action is set to “comment:mycomment”. The device details must be comma separated with no spaces. The default value is “uuid,principal,manufacturer,ModelName,device_model,compliance.”   Any device detail can be used, but any details with white space must have the white space removed (i.e. “iPhone UDID” should be changed to “iPhoneUDID”.	Any comma separated device details. Example: commendvar=principal,serialnumber   Special variables: When utilizing the trigger app:managed|unmanaged|installed|notinstalled|any the follow variables can be utilized: apps_managedstatus: adds the app name and managed/unmanaged status apps_version: adds the app version apps_name: adds the name of the matching app apps_managed: adds only the managed status of the app apps_bundle: adds the bundle name of the matching app (requires setting appnames_verbose=yes in the section [RuleNum]   When ad_data = yes in the rules file the following variables can be utilized: ad_device_dn: adds the device user’s AD distinguished name ad_device_uac: adds the device user’s AD userAccessControl information ad_device_samaccountname: adds the device user’s AD sAMAccountname ad_device_memberof: adds the device user’s AD group memberships ad_device_department: add the device user’s AD deparment ad_device_employeeid: add the device user’s employeeid attribute value
		ad_pass_expire_days: the number of days until the user’s account password will expire and need to be changed. ad_custom1: See section [RuleNum] and the key ad_custom1_attribute for customizing this attribute lookup. ad_custom2: See section [RuleNum] and the key ad_custom2_attribute for customizing this attribute lookup. ad_custom3: See section [RuleNum] and the key ad_custom3_attribute for customizing this attribute lookup. ad_custom4: See section [RuleNum] and the key ad_custom4_attribute for customizing this attribute lookup. ad_custom5: See section [RuleNum] and the key ad_custom5_attribute for customizing this attribute lookup   The variable “lat_long_last_captured_at” is represented in epoch time. Two special variables translate that time into UTC and local time. device_location_capturetime_utc device_location_capturetime_local   The variable “lastconnectedat” is UTC time in the format “2013-01-18T21:13:13”. Two special variables translate that time into a common US format for UTC and local time. lastconnectedat_utc lastconnectedat_local   The variable “last_security_state_changed_on” is UTC time in the format “2013-01-18 21:13:13”. A special variable translates that local time. last_security_state_changed_on_local The following variable will insert the date/time the report was run in the format “year/month/day hour:minute:second” timestamp   The variable “ios_app_connected” is the number of hours since Mobile@Work on iOS last connected to Core. A special variable translates that to local time. ios_app_connected_timestamp
ldap_resync	This key queues a LDAP Resync for the end of an Assemble run if any matching device is found in any rule with this key set to “yes”. Only one resync will be queued for any Assemble run.   The default setting is “no”	Example: ldap_resync=yes
ElementX_elementoperator	The operator is a Boolean expression to compare the element with the previous element. For element 1 this is not applicable.	AND AND NOT OR Example: Element2_elementoperator=OR
ElementX_grouping_prefix	Element grouping prefix can either be “(“ or “)”. The prefix bracket is placed after the element operator if one exists and before the matching value.   Element1 can only have a prefix and no suffix.   The element prefix and suffix settings allow Assemble to better group Boolean rule logic. Prior to Assemble 24.5, only default Boolean precedence was utilized. Beginning in Assemble 24.5, Assemble rule elements can be groups with brackets to control precedence.   Example:   I want to check devices for the following:   Any iOS 7.0 device that has either App1 version less than 1.5 or App2 version less than 2.1.   Logical grouping I need for this statement.   ("platform" contains "ios" AND "OSVersion" equals "7.0") AND (App1 version < "1.5" OR App2 version < "2.1")   Here is how you could try to match the devices prior Assemble 24.5:   Element1_trigger=platform Element1_description=target iOS only Element1_operator=contains Element1_source=local Element1_value=ios   Element2_elementoperator=AND Element2_trigger=OSVersion Element2_description=Target iOS 7 devices Element2_operator=equals Element2_source=local Element2_value=7.0   Element3_elementoperator=AND Element3_trigger=app:version:App1 Element3_description=Target all app versions below current (1.5) Element3_operator=less than Element3_source=local Element3_value=1.5   Element4_elementoperator=OR Element4_trigger=app:version:App2 Element4_description=Target all app versions below current (2.1) Element4_operator=less than Element4_source=local Element4_value=2.1	Example:   Element1_grouping_prefix=( Element1_trigger=platform Element1_description=target iOS only Element1_operator=contains Element1_source=local Element1_value=ios   Element2_elementoperator=AND Element2_trigger=OSVersion Element2_description=Target iOS 7 devices Element2_operator=equals Element2_source=local Element2_value=7.0 Element2_grouping_suffix=)   Element3_elementoperator=AND Element3_grouping_prefix=( Element3_trigger=app:version:App1 Element3_description=Target all app versions below current (1.5) Element3_operator=less than Element3_source=local Element3_value=1.5   Element4_elementoperator=OR Element4_trigger=app:version:App2 Element4_description=Target all app versions below current (2.1) Element4_operator=less than Element4_source=local Element4_value=2.1 Element4_grouping_suffix=)
ElementX_grouping_prefix Description continued... This would not have the desired result for an iOS device not running 7.0 with both apps not running the specified version. They would result in the following Boolean expression:   1 AND 0 AND 1 OR 1 Structure is: "or" | |--"and" | | | |--"and" | | | | | |--"TRUE" | | | | | |--"FALSE" | | | |--"TRUE" | |--"TRUE" Actual Evaluation: We find that it is CONSTANT (TRUE) The iOS device would match the rule which is not the result needed. With Assemble 24.5 and higher it is possible to add the necessary brackets. Element1_grouping_prefix=( Element1_trigger=platform Element1_description=target iOS only Element1_operator=contains Element1_source=local Element1_value=ios Element2_elementoperator=AND Element2_trigger=OSVersion Element2_description=Target iOS 7 devices Element2_operator=equals Element2_source=local Element2_value=7.0 Element2_grouping_suffix=)   Element3_elementoperator=AND Element3_grouping_prefix=( Element3_trigger=app:version:App1 Element3_description=Target all app versions below current (1.5) Element3_operator=less than Element3_source=local Element3_value=1.5   Element4_elementoperator=OR Element4_trigger=app:version:App2 Element4_description=Target all app versions below current (2.1) Element4_operator=less than Element4_source=local Element4_value=2.1 Element4_grouping_suffix=)   (1 AND 0) AND (1 OR 1)
ElementX_grouping_prefix Description continued... "and" | |--"and" | | | |--"TRUE" | | | |--"FALSE" | |--"or" | |--"TRUE" | |--"TRUE" Actual Evaluation: We find that it is CONSTANT (FALSE) With the added brackets with explicit presidence, you can get the desired matching results.
ElementX_grouping_suffix	See ElementX_grouping_prefix description.	Example:   Element1_grouping_prefix=( Element1_trigger=platform Element1_description=target iOS only Element1_operator=contains Element1_source=local Element1_value=ios   Element2_elementoperator=AND Element2_trigger=OSVersion Element2_description=Target iOS 7 devices Element2_operator=equals Element2_source=local Element2_value=7.0 Element2_grouping_suffix=)   Element3_elementoperator=AND Element3_grouping_prefix=( Element3_trigger=app:version:App1 Element3_description=Target all app versions below current (1.5) Element3_operator=less than Element3_source=local Element3_value=1.5   Element4_elementoperator=OR Element4_trigger=app:version:App2 Element4_description=Target all app versions below current (2.1) Element4_operator=less than Element4_source=local Element4_value=2.1 Element4_grouping_suffix=)
ElementX_trigger	The element trigger is what is to be compared to each device’s details.	Special Triggers: app:managed|unmanaged|installed|notinstalled|any country compliancecode distance iOSBackgroundStatus lat_long_last_captured General Triggers: All other device details uuid principal blockReason clientId etc. Example: Element1_trigger=device_model
ElementX_description	Describes the use or purpose of the element trigger	Describes the use or purpose of the element trigger Example: Looking for only iPhone4 devices
ElementX_operator	The operator used when comparing the trigger value with the device value.	Will vary by trigger. See Appendix B Example: Distance operators are greater than or less than
ElementX_source	The source indicates if the trigger value to compare to each device's value is taken from the INI key ElementX_value or from a file containing values. If a file is used, ElementX_value is ignored and the contents of the file are read as the value. If a file is used, multiple values must be comma delimited by default. Any delimiter can be used by setting the delimiter value in the RuleNum section. All carriage returns and line feeds will be stripped from the file when it is read.	Local Full file path Examples: Element1_source=local Element1_source=C:\assemble\corp_serialnumbers.csv
ElementX_value	If ElementX_value=local, this key is used to compare the trigger value on each device.	If ElementX_value=local, this key is used to compare the trigger value on each device. Multiple comma separated values can be used. Example: Element1_value = iPhone4 (could be used for device_model)
ElementX_distance	The distance in meters when comparing the latitude and longitude value of each device with the trigger value. This key is only applicable with the trigger distance.	The distance in meters when comparing the latitude and longitude value of each device with the trigger value. This key is only applicable with the trigger distance. Example: Element1_distance = 1000
ElementX_distance_maxlocationage	The maximum location age for any device in hours. If the age is greater than this value, the distance of the device will ignored and not compared. This key is only applicable with the trigger distance.	The maximum location age for any device. If the age is greater than this value, the distance of the device will ignored and not compared. This key is only applicable with the trigger distance. Example: Element1_distance_maxlocationage = 4
ElementX_distance_operator	If there are multiple latitude and longitude values listed in ElementX_value or pulled from a file using ElementX_source, ElementX_distance_operator determines if all the distance comparisons must match (ElementX_distance_operator=AND) or if only one of them needs to match (ElementX_distance_operator=OR). This key is only applicable with the trigger distance.   Because latitudes and longitude coordinates are comma separated (i.e. 40.151982,-83.144615), when listing multiple coordinates they must be separated by a character other than a comma. The character must be set with the delimiter key in the section [RuleNum].   Example using the coordinate delimiter “|”: [RuleNum] numberofrules=1 sleeptime=250 delimiter=|     [Rule1] NumberofElements=1 Action=removelabel:OnSiteLabel ActionReason=corporate owned device is too far from the building   Element1_trigger=distance Element1_description=corporate owned device is too far from the building Element1_operator=greater than Element1_source=local Element1_value=40.151982,-83.144615|33.784337,-118.141544|32.784337,-118.141544|31.784337,-118.141544 Element1_distance=1000 Element1_distance_maxlocationage=24 Element1_distance_operator=OR	Example: Element1_distance_operator=AND   The default value is “OR” if ElementX_distance_operator is not set.
ElementX_label_operator	If there are multiple label name values listed in ElementX_value or pulled from a file using ElementX_source, ElementX_label_operator determines if all the label comparisons must match (ElementX_label_operator=AND) or if only one of them needs to match (ElementX_label_operator=OR). This key is only applicable with the trigger label:name.	Example: Element1_label_operator=AND   The default value is “OR” if ElementX_label_operator is not set.
ElementX_default_trigger_operator	When a generic trigger is used (e.g. on not listed specifically in the Triggers in Appendix B that falls under “All other device details”), the ElementX_operator is set to “does not contain” or “does not equal” and the value is a comma separated list this setting can be utilized.   By default Assemble will assess CSV values listed in ElementX_value or values from a CSV file using ElementX_source=path_to_csv with an explicit OR operator. This setting can change that explicit OR to AND to check that the device detail compared by the trigger does not contain or equal all CSV values.	Example: Element1_default_trigger_operator=AND
ElementX_value_suffix_character=\	In some cases, the information needed for comparision may be at the end of the device detail value. This case has only been found to be true for upcoming Windows 7/8 device detail value evaluations using Assemble.   Example value from a registry key: C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Data\Definitions\VirusDefs\20130911.023   In this case you need to assess the virus definition version, but the version is contained after the last “\” symbol. Using ElementX_value_suffix_character allows you to check just the version number in the reported registry key   Element1_trigger=details_custom5 Element1_description=minimum virusdef version Element1_operator=less than Element1_source=local Element1_value=20130911.023 Element1_value_suffix_character=\	Element1_value_suffix_character=\

reportvar values

Any comma separated device details.

Example: reportvar=uuid,principal,manufacturer,ModelName,device_model,compliance,compliance_COMPROMISED,compliance_REQUIRED_APP,compliance_DISALLOWED_APP

Special variables:

When utilizing the trigger app:managed|unmanaged|installed|notinstalled|any the follow variables can be utilized:

•

apps_managedstatus: adds the app name and managed/unmanaged status

•

apps_version: adds the app version

•

apps_name: adds the name of the matching app

•

apps_managed: adds only the managed status of the app

•

apps_bundle: adds the bundle name of the matching app (requires setting appnames_verbose=yes in the section [RuleNum]

•

When ad_data = yes in the rules file the following variables can be utilized:

•

ad_device_dn: adds the device user's AD distinguished name

•

ad_device_uac: adds the device user's AD userAccessControl information

•

ad_device_samaccountname: adds the device user's AD sAMAccountname

•

ad_device_memberof: adds the device user's AD group memberships

•

ad_device_department: add the device user's AD deparment

•

ad_device_employeeid: add the device user's employeeid attribute value

•

ad_pass_expire_days: the number of days until the user's account password will expire and need to be changed.

•

ad_custom1: See section [RuleNum] and the key ad_custom1_attribute for customizing this attribute lookup.

•

ad_custom2: See section [RuleNum] and the key ad_custom2_attribute for customizing this attribute lookup.

•

ad_custom3: See section [RuleNum] and the key ad_custom3_attribute for customizing this attribute lookup.

•

ad_custom4: See section [RuleNum] and the key ad_custom4_attribute for customizing this attribute lookup.

•

ad_custom5: See section [RuleNum] and the key ad_custom5_attribute for customizing this attribute lookup

•

The variable "lat_long_last_captured_at" is represented in epoch time. Two special variables translate that time into UTC and local time.

•

device_location_capturetime_utc

•

device_location_capturetime_local

•

The variable "lastconnectedat" is UTC time in the format "2013-01-18T21:13:13". Two special variables translate that time into a common US format for UTC and local time.

•

lastconnectedat_utc

•

lastconnectedat_local

•

The variable "last_security_state_changed_on" is UTC time in the format "2013-01-18 21:13:13". A special variable translates that local time.

•

last_security_state_changed_on_local

•

The variable ActiveSyncDeviceOS can be included. If the VSP has pushed an Exchange profile to the device, it is syncing with the Sentry and shows up as a registered device in the ActiveSync Associations page the DeviceOS reported by ActiveSync will be looked up for the device and included in the report.

Example:

DeviceOS = iOS 7.1 11D167

In order to pull ActiveSyncDeviceOS, "app" must be set in the [RuleNum] section and the Assemble user must have all administration roles.

The following variable will insert the date/time the report was run in the format "year/month/day hour:minute:second"

timestamp

Example INI rule settings file:

[RuleNum]

numberofrules=4

sleeptime=2000

delimeter=,

[Rule1]

NumberofElements=2

Action=applylabel:corporateowned

Wakeup=yes

SendMessage=yes

SendMessageText=Your device now has the policies for a corporate owned device.

Element1_trigger=device_id

Element1_description=corporate owned device_id match

Element1_operator=equals

Element1_source=local

Element1_value=6Q046Z5YA4S,DLXFR932DJHG,417a99d4d10d21ec

Element2_elementoperator=OR

Element2_trigger=serialnumber

Element2_description=corporate owned device serial match

Element2_operator=equals

Element2_source=local

Element2_value=6Q046Z5YA4S,DLXFR932DJHG

[Rule2]

NumberofElements=2

Action=applylabel:employeeowned

Wakeup=yes

SendMessage=yes

SendMessageText=Your device now has the policies for an employee owned device.

Element1_trigger=serialnumber

Element1_description=corporate owned device serial match

Element1_operator=does not equal

Element1_source=local

Element1_value=C39GKAV3DTDN,DLXFR932DJHG

Element2_elementoperator=OR

Element2_trigger=device_id

Element2_description=corporate owned device serial match

Element2_operator=does not equal

Element2_source=local

Element2_value=6Q046Z5YA4S,DLXFR932DJHG

[Rule3]

NumberofElements=1

Action=retire

ActionReason=corporate owned device is too far from the building

Wakeup=no

SendMessage=no

Element1_trigger=distance

Element1_description=corporate owned device is too far from the building

Element1_operator=greater than

Element1_source=local

Element1_value=33.784337,-118.141544

Element1_distance=1000

Element1_distance_maxlocationage=24

[Rule4]

NumberofElements=1

Action=applelabel:compromised

ActionReason=device in US

Wakeup=yes

SendMessage=yes

SendMessageText=Your device is in US.

syslogsend=yes

syslogserver=192.168.1.11

syslogport=514

syslogmessage=compromised device

syslognotice=security.info

syslogvar=uuid,principal,manufacturer,ModelName,device_model,compliance,compliance_COMPROMISED,compliance_REQUIRED_APP,compliance_DISALLOWED_APP

reportsend=yes

reportname=MIReport_compromiseddevice

reportlocation=C:\Users\jdoe\mobileironreports\

reportmessage=MIReport_compromised device

reportvar=uuid,principal,manufacturer,ModelName,device_model,compliance,compliance_COMPROMISED,compliance_REQUIRED_APP,compliance_DISALLOWED_APP

reportelementvar = yes

Element1_trigger=compliancecode

Element1_description=Check for compromised device

Element1_operator=equals

Element1_source=local

Element1_value=1

ElementX_grouping_prefix description

Element grouping prefix can either be "(" or ")". The prefix bracket is placed after the element operator if one exists and before the matching value.

Element1 can only have a prefix and no suffix.

The element prefix and suffix settings allow Assemble to better group Boolean rule logic. Prior to Assemble 24.5, only default Boolean precedence was utilized. Beginning in Assemble 24.5, Assemble rule elements can be groups with brackets to control precedence.

Example:

I want to check devices for the following:

Any iOS 7.0 device that has either App1 version less than 1.5 or App2 version less than 2.1.

Logical grouping I need for this statement.

("platform" contains "ios" AND "OSVersion" equals "7.0") AND (App1 version < "1.5" OR App2 version < "2.1")

Here is how you could try to match the devices prior Assemble 24.5:

Element1_trigger=platform

Element1_description=target iOS only

Element1_operator=contains

Element1_source=local

Element1_value=ios

 

Element2_elementoperator=AND

Element2_trigger=OSVersion

Element2_description=Target iOS 7 devices

Element2_operator=equals

Element2_source=local

Element2_value=7.0

 

Element3_elementoperator=AND

Element3_trigger=app:version:App1

Element3_description=Target all app versions below current (1.5)

Element3_operator=less than

Element3_source=local

Element3_value=1.5

 

Element4_elementoperator=OR

Element4_trigger=app:version:App2

Element4_description=Target all app versions below current (2.1)

Element4_operator=less than

Element4_source=local

Element4_value=2.1

This would not have the desired result for an iOS device not running 7.0 with both apps not running the specified version. They would result in the following Boolean expression:

1 AND 0 AND 1 OR 1

Structure is:

"or"

|

|--"and"

| |

| |--"and"

| | |

| | |--"TRUE"

| | |

| | |--"FALSE"

| |

| |--"TRUE"

|

|--"TRUE"

 

Actual Evaluation: We find that it is CONSTANT (TRUE)

The iOS device would match the rule which is not the result needed.

With Assemble 24.5 and higher it is possible to add the necessary brackets.

Element1_grouping_prefix=(

Element1_trigger=platform

Element1_description=target iOS only

Element1_operator=contains

Element1_source=local

Element1_value=ios

 

Element2_elementoperator=AND

Element2_trigger=OSVersion

Element2_description=Target iOS 7 devices

Element2_operator=equals

Element2_source=local

Element2_value=7.0

Element2_grouping_suffix=)

 

Element3_elementoperator=AND

Element3_grouping_prefix=(

Element3_trigger=app:version:App1

Element3_description=Target all app versions below current (1.5)

Element3_operator=less than

Element3_source=local

Element3_value=1.5

 

Element4_elementoperator=OR

Element4_trigger=app:version:App2

Element4_description=Target all app versions below current (2.1)

Element4_operator=less than

Element4_source=local

Element4_value=2.1

Element4_grouping_suffix=)

 

(1 AND 0) AND (1 OR 1)

"and"

|

|--"and"

| |

| |--"TRUE"

| |

| |--"FALSE"

|

|--"or"

|

|--"TRUE"

|

|--"TRUE"

Actual Evaluation: We find that it is CONSTANT (FALSE)

With the added brackets with explicit presidence, you can get the desired matching results.

Section: [ASRuleX]

This section defines the details for one rule.

Key	Description	Values
NumberofElements	The number of elements for the rule.	1-5 Example: numberofrules=4
Action	The action for the rule.	activesync:block,reinstate or wipemessage
ActionReason	The reason for the action.	Any description Example:ActionReason=Allow Windows 7 devices to connect to ActiveSync
ElementX_elementoperator	The operator is a Boolean expression to compare the element with the previous element. For element 1 this is not applicable.	AND AND NOT OR Example: Element2_elementoperator=OR
ElementX_trigger	The element trigger is what is to be compared to each device’s ActiveSync details.	See ActiveSync TriggersActiveSync Triggers for supported triggers.
ElementX_description	Describes the use or purpose of the element trigger	Describes the use or purpose of the element trigger Example: allow Windows 7 device
ElementX_operator	The operator used when comparing the trigger value with the device value.	containsdoes not contain
ElementX_source	The source indicates if the trigger value to compare to each device's value is taken from the INI key ElementX_value or from a file containing values. If a file is used, ElementX_value is ignored and the contents of the file are read as the value.If a file is used, multiple values must be comma delimited by default. Any delimiter can be used by setting the delimiter value in the RuleNum section. All carriage returns and line feeds will be stripped from the file when it is read.All values are assessed with an implicit OR operator within the rule element.	LocalFull file path Examples:Element1_source=localElement1_source=C:\assemble\corp_serialnumbers.csv
ElementX_value	If ElementX_value=local, this key is used to compare the trigger value on each device.	If ElementX_value=local, this key is used to compare the trigger value on each device. Multiple comma separated values can be used. Multiple values are assessed with an implicit OR operator within the rule element. Example: Element1_value = Windows Phone 7
SendSMTP	Sends a SMTP email to the ActiveSync device’s user.The SMTP setting must be configured in the vsp.ini file. See section SMTP Connection and Authentication.The following device details are sent for the device in the email.Username: John SmithMailboxID: jsmithEmail Address: [email protected]: iPhone3C3DeviceID: ApplC8QF934GDDZ3Platform: iOSPlatformCode: 11Status: UnregisteredActiveSyncStatus: BlockedActionSource: AUTOBLOCK	Example:SendSMTP=yes
SendSMTPDomain	Specifies the email domain. This is needed because the MailboxID is often in the format username or domain\username.1. If the MailBoxID is in the format username, the SendSMTPDomain value (i.e. @mobileiron.com) is added to the end of the username. 2. If the MailBoxID is in the format domain\username, "domain\" is stripped and the SendSMTPDomain is added to the end of the username. 3. If the MailBoxID is an email address it is not altered.	Example:[email protected]
SendSMTPFromAddress	The “from address” of the SMTP email.	Example:[email protected]
SendSMTPFromName	The “from name” of the SMTP email.	Example:SendSMTPFromName=Assemble
SendSMTPSubject	The subject of the SMTP email.	Example:SendSMTPSubject=Assemble:Blocked ActiveSync Device
SendSMTPImportance	The importance level of the SMTP email. 1. High 1. Normal Low	Example: SendSMTPImportance=High
SendSMTPAdmin	Sends a SMTP email to the administrator with all matching ActiveSync devices.The SMTP setting must be configured in the vsp.ini file. See section SMTP Connection and Authentication.The following device details are sent for each device in a single email message.Username: John SmithMailboxID: jsmithEmail Address: [email protected]: iPhone3C3DeviceID: ApplC8QF934GDDZ3Platform: iOSPlatformCode: 11Status: UnregisteredActiveSyncStatus: BlockedActionSource: AUTOBLOCK	Example:SendSMTPAdmin=yes
SendSMTPAdminFromAddress	The “from address” of the SMTP email.	Example:[email protected]
SendSMTPAdminFromName	The “from name” of the SMTP email.	Example:SendSMTPAdminFromName=Assemble
SendSMTPAdminToAddress	The “to address” of the SMTP email.	Example:[email protected]
SendSMTPAdminSubject	The subject of the SMTP email.	Example:SendSMTPAdminSubject=Assemble:Blocked ActiveSync Devices
SendSMTPAdminImportance	The importance level of the SMTP email. 1. High 1. Normal Low	Example: SendSMTPAdminImportance=High

Example INI rule settings file:

[RuleNum]

numberofrules=0

numberofrules_as=1

sleeptime=20

delimeter=,

[ASRule1]

NumberofElements=1

Action=activesync:reinstate

ActionReason=allow Windows 7 devices

Element1_trigger=platform

Element1_description=allow Windows 7 device

Element1_operator=contains

Element1_source=local

Element1_value=Windows Phone 7

Triggers

Trigger	Description	Values	Operators
app:managed|unmanaged|installed|notinstalled|any	Checks if a specified app is managed, unmanaged, installed, not installed or any. The ‘app:any’ trigger is mainly for reporting and matches all devices.This trigger must be used in conjunction with the key “appnames” in the section [RuleNum].Supported in Assemble 40.5 and higher:Assemble supports reading multiple comma separated app names. Assemble will check the apps with an implicit OR operator.Example:App1 OR App2 OR App3Assemble will stop matching when it finds the first match for a device and will not check the other apps in the list.If the appname(s) contain non-ASCII characters (e.g. Chinese characters), the values must be read from a UTF-8 encoded file. This is because Assemble cannot read unicode characters from a .ini file but can read unicode charcters from other file types.Example:Element1_trigger=app:installedElement1_description=at least one app in list installed on deviceElement1_operator=equalsElement1_source= "c:\assemble\appnames_unicode.txt "	Example: Element1_trigger=app:unmanagedElement1_value=anyconnect	equals
app:version:appname	Checks if a specified app is installed and compares the app version number.This trigger must be used in conjunction with the key “appnames” in the section [RuleNum].The list of appnames and versions can be read from a file. This allows for checking multiple app/version pairs and also provides support for non-ASCII app names.Example:Element1_trigger=app:version:file:appnames_versions_unicode.txtWhen reading from a file, the appname and version will be read from the file.Example:Perfect365,1.0网易云音乐,1.0PDFReader Free,1.0The file must reside in the same folder as Assemble. If the file contains no-ASCII characters, it must be save in UTF-8 format.Each appname an version must be on a separate line.When reading from a file, the report variables such as apps_name and apps_version will not function. Instead the report columns will have headers added at the end called “appname” and “appversion”. Each app/version match from the list will be added to the report on their own line.	Example:Element1_trigger=app:version:anyconnectElement1_description=anyconnect 2.5.5130Element1_operator=equalsElement1_source=localElement1_value=2.5.5130	equalsdoes not equalgreater thanless thancontainsdoes not contain
ad:attribute:attributename	Checks for AD information.Choose an AD attribute for each device’s user and compare the value. Below are the strings that can be matched with the attribute userAccountControl: 1. SCRIPT 1. ACCOUNTDISABLE HOMEDIR_REQUIRED LOCKOUT PASSWD_NOTREQD PASSWD_CANT_CHANGE ENCRYPTED_TEXT_PASSWORD_ALLOWED TEMP_DUPLICATE_ACCOUNT NORMAL_ACCOUNT INTERDOMAIN_TRUST_ACCOUNT WORKSTATION_TRUST_ACCOUNT SERVER_TRUST_ACCOUNT DONT_EXPIRE_PASSWD MNS_LOGON_ACCOUNT SMARTCARD_REQUIRED TRUSTED_FOR_DELEGATION NOT_DELEGATED USE_DES_KEY_ONLY DONT_REQUIRE_PREAUTH PASSWORD_EXPIRED TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION	Example: Element1_trigger=ad:attribute:distinguishedname Element1_operator=contains Element1_source=local Element1_value=”OU=NorthAmerica”	contains does not contain
ad:disabledad:passwordexpiringad:disabled:emailad:disabled:custom:devicedetailname	Checks for AD information. If a device is registered with a local account, the rule will not match. 1. ad:disabled Checks if the device’s user account is disabled by matching the device principal name with a list of disabled AD account sAMAccountName attributes. The key “ad_disabled=yes” must be set in the section [RuleNum]. ad:disabled:email Checks if the device’s user account is disabled by matching the device currentemailaddress with a list of disabled AD account mail attributes. The key “ad_disabled_email=yes” must be set in the section [RuleNum]. ad:passwordexpiring Checks the device user’s AD password expiration in days. 2. ad:disabled:custom:devicedetailname Compares the value of the device detail name specified in the trigger with disabled AD account attribute value set in the key “ad_disabled_custom_attributename” in the section [RuleNum]. Example: If you have set “ad_disabled_custom_attributename=userPrincipalName” in the section [RuleNum] and your trigger is “ad:disabled:custom:emailaddress “ the values returned by AD for the userPrincipalName attribute for all disabled AD accounts will be compared with each device’s “emailaddress” value. If there is a match, the specified rule actions will be taken.	Examples:DisabledElement1_trigger=ad:disabledPasswordExpiringElement1_trigger=ad:passwordexpiringElement1_operator=less thanElement1_value=30	ad:disabledad:disabled:emailad:disabled:custom:devicedetailnameOperators not applicablead:passwordexpiringgreater than less than
apptunnel	This trigger checks if the device does or does not have an established and associated AppTunnel entry from a Sentry appliance.NOTE: This requires the key setting “apptunnel_list = yes” in the section [RuleNum]. If the trigger “apptunnel” is used without setting that key, Assemble will terminate to avoid false positive or negative matching.	Element1_trigger=apptunnelElement1_description=all devicesElement1_operator=established	establishednotestablished
AvailableDeviceCapacity	Available gigabytes of internal device storage.This is an iOS device detail.	Element1_trigger= AvailableDeviceCapacityElement1_description=More than 2 GB of AvailableDeviceCapacityElement1_operator=greater thanElement1_source=localElement1_value=2	greater thanless than
battery_life	Checks the battery life last reported to the VSP.	Example:Element1_trigger=battery_lifeElement1_description=minimum battery lifeElement1_operator=less thanElement1_source=localElement1_value=30	greater thanless than
country	Checks in which country the device is located. An action is taken if it matches or does not match a country in a specified list.Assemble must have access to http://maps.googleapis.com for country lookup to function.Google Maps sometimes returns ZERO_RESULTS for a country lookup for a specific latitude and longitude. If that occurs, Assemble returns ZERO_RESULTS as the country. The value ZERO_RESULTS can be used in Assemble country trigger rules for matching.Assemble uses Google’s Geocoding API. This is from https://developers.google.com/maps/documentation/geocoding/.Use of the Google Geocoding API is subject to a query limit of 2,500 geolocation requests per day. (User of Google Maps API for Business may perform up to 100,000 requests per day.) This limit is enforced to prevent abuse and/or repurposing of the Geocoding API, and this limit may be changed in the future without notice. Additionally, we enforce a request rate limit to prevent abuse of the service. If you exceed the 24-hour limit or otherwise abuse the service, the Geocoding API may stop working for you temporarily. If you continue to exceed this limit, your access to the Geocoding API may be blocked.If you are looking up the location for more that 2,500 devices a day from one IP address, this could cause Assemble not be able to perform geocode look ups for devices.	Comma sperated ISO 3166 country codes Device Details). Optional max location age. Anything older than max location age is ignored. Example (Germany, Switzerland and Denmark): Element1_value=DE,CH,DK Element1_distance_maxlocationage=4	does not contain containsequalsdoes not equal
compliancecode	Checks if a device is or is not violating a specific compliance	0 – Compliant, “Device is in compliance”1 - COMPROMISED, "Phone state is modified"2 - OS_VERSION , "OS version is less than the supported OS version"4 - HW_VERSION, "Hardware Revision Not Allowed"8 - DATA_PROTECTION, "Data Protection is not enabled"16 - POLICY_OUT_OF_DATE, "Policy is out of date"32 - DEVICE_OUT_OF_CONTACT, "Phone is out of contact"64 - APP_CONTROL, "App Control Policy is out of compliance"128 - PER_MAILBOX_LIMIT "Device exceeds per mailbox limit"256 - AUTO_BLOCK, "Device is not registered"512 - MANUAL, "Administratively Blocked"1024 - EXCHANGE, "Exchange Reported"2048 - DEVICE_ADMIN, "Device administrator is deactivated"4096 - DISALLOWED_APP, "Disallowed app control policy is out of compliance"8012 - REQUIRED_APP, "Required app control policy is out of compliance"16384 - ALLOWED_APP, "Allowed app control policy is out of compliance"32768 - Logged Out, "Multi-user iOS device use has signed out"65536 – ATTESTATION_FAILED, “Attestation Failed”4194304 - UNKNOWN,999 – Not Compliant , This special setting matches if the device is violating and security rule.	does not equalequals
client_version	Evaluates the version of the Mobile@Work app on the device.	Element1_trigger=client_versionElement1_description=mobilerion app less than 5.7.1Element1_operator=less thanElement1_source=localElement1_value=5.7.1	greater than less than equals does not equal
day	Checks the current day and compares to the trigger day. Actions can be taken if the statement is true.	Numeric day of week. Range is 1 to 7 which corresponds to Sunday through Saturday. Example: Element1_value=1 Element1_distance_maxlocationage=4	greater than less than equals does not equal
distance	Measures the distance in meters between a specified latititude and longitude. It takes an action if the distance is greater than or less than X meters.When trigger is set to distance, you must set the key delimiter in the section [RuleNum] to something other than “delimiter=,” which is the default. This is because the distance trigger since Assemble 18.4 allows multiple coordinates to be listed in the ElementX_value key. On pair of latitude and longitude coordinates are comma separated and the delimiter is used to separate each pair of coordinates.Example:delimiter=|	Base latitude and longitude coordinates. Distance in meters from coordinates. Optional max location age. Anything older than max location age is ignored. Example: Element1_value=33.784337,-118.141544 Element1_distance=100 Element1_distance_maxlocationage=4	greater than less than
easlastsyncattempt	Checks the number of days since the device last synced with Sentry. Sentry does not update this time stamp every time a device syncs. The time stamp is only updated on the first successful sync of the day (UTC time) for each device).	Element1_trigger=easlastsyncattemptElement1_description=over 60 days since last sync with SentryElement1_operator=greater thanElement1_source=localElement1_value=60	greater thanless thanThe following operators only work when the element value is “NotFound”.equalsdoes not equal
free_ram_size	This is the amount of RAM in megabytes available on the device.This is an Android device detail.	Element1_trigger=free_ram_sizeElement1_description=More than 200 MB of free_ram_sizeElement1_operator=greater thanElement1_source=localElement1_value=200	greater than less than
free_storage_size	This is the amount of internal storage in megabytes available on the device.This is an Android device detail.	Element1_trigger= free_storage_sizeElement1_description=More than 200 MB of free_storage_sizeElement1_operator=greater thanElement1_source=localElement1_value=200	greater than less than
history:devicedetail	Compares the previous recorded device detail. This trigger requires the setting devicehistory=yes in the .ini section [RuleNum].	Example:Element1_trigger=history:complianceElement1_operator=change	1. change This operator matches if the previous value of the device detail is different than the current value. new This operator matches if the device details did not exist previously.
*ios_app_connected*This trigger requires a user account with both the API role AND the roles Smartphones Inventory, Policies, and Smartphone Manager Settings.	Compares the number of hours since the last time to MobileIron app connected to the VSP.This trigger requires the setting vspdetails=yes in the .ini section [RuleNum].	Example:Element1_trigger=ios_app_connectedElement1_description=ios_app_connected checkElement1_operator=greater thanElement1_source=localElement1_value=60	greater thanless than
iOSBackgroundStatus	Checks the iOSBackgroundStatus setting on any iOS device. That setting indicates if the MobileIron app is able to run in the background to check for the device's jailbreak status and set location data to the VSP.	One of the iOSBackgroundStatus codes. 0 = Enabled 1 = Denied by User 3 = Not Supported Example: Element1_value=0	does not equal equals
label:name	Checks if a label is or is not applied to a device.	The value used to match the label name is not case sensitive.Element1_trigger= label:nameElement1_description=member of Sales LabelElement1_operator=equalsElement1_source=localElement1_value=sales	containsdoes not containequalsdoes not equalNOTE:The operators “contains” and “does not contain” are essentially wildcard matches. They require a download of assigned labels for each device and can cause Assemble runs to be much longer.
lastConnectedAt	Checks lastConnectedAt on any devices. That setting indicates the date and time of the last MDM connection from the device to the VSP.This trigger is used to calculate the number of days since the device last connected to the VSP.The element value indicates the number of the days since the last connection.	Element1_trigger= lastConnectedAtElement1_description=older than 60 daysElement1_operator=greater thanElement1_source=localElement1_value=60	greater thanless thanequals*equals can only be used for matching devices where lastConnectedAt is blank by setting the element value to “NotFound”.
lastConnectedAt_minutes	Checks lastConnectedAt on any devices. That setting indicates the date and time of the last MDM connection from the device to the VSP.This trigger is used to calculate the number of minutes since the device last connected to the VSP.The element value indicates the number of the days since the last connection.	Element1_trigger= lastConnectedAtElement1_description=older than 60 daysElement1_operator=greater thanElement1_source=localElement1_value=60	greater thanless than
lat_long_last_captured	Measures the time in hours since the location of the device was last captured. It takes an action if the amount of hours is greater or less than X hours.	The number of hours limit since the location of device was captured. Example: Element1_value=4	greater than less than
profile:profilename:statustring	This key checks the profiles applied to iOS devices that can be pushed and the status of those profiles. Profiles that can be pushed show up in the GUI when choosing an iOS device in the Devices page and clicking on Push Profiles on the top left.This trigger only supports iOS devices because pushing profiles is only supported for iOS.ProfileName: Specify the profile name you want to match. To match all profiles use “any”. To match System profiles, be sure to include a leading space because System profiles contain a leading space you may not notice visually.In Assemble version 31.2 and above a file can be specified with multple profile names. This allows multiple profile names to be matched in a single rule. The name of the file must be preceeded with an escape character “/”. The file must be located in the same folder as the Assemble executable.If the profile name contains a “/” character, you must place it in a file as described above.Example:profile:/profiles.csv:anyEach profile name for the device will be checked against each profile name in the file. The profile names in the file must be separated by a delimiter. The default delimiter is a comma. If you choose a different delimiter, you must set the key “delimiter” in the section [RuleNum]. Line feeds and carriage returns will be stripped from the file.StatuString: Specify the status type of the profile. To match all status types use “any”.StatuString Types: ² Applied ² Failed Pending Quarantine Revoked Sent Update Failed Update Pending   If “reportprofiledetails=yes” then all matching profiles will have their information added to the report. There will be a separate row for each matching profile with the following information. ² ProfileMatchNum (total number of matching profiles) ² ProfileType ( iOSPushProfile for this trigger) ProfileName PolicyType ProfileStatuString ProfileLastConnectedAt (local time)	Examples: Element1_trigger=profile:any:any Element1_trigger=profile: System - iOS MDM:Pending (Note the space between the colon and System for default policies that starte with the work System) Element1_trigger=profile:MobileIron SSL VPN:any Element1_trigger=profile:any:Failed	There are no Element operator or value keys used for this trigger.
policies:policyname:statustring	This key checks the policies applied to all devices. This is the list of policies seen in the GUI on the Devices screen when clicking on a single device and expanding the Policies category on the far right.PolicyName: Specify the policy name you want to match. To match all profiles use “any”. StatuString: Specify the status type of the profile. To match all status types use “any”.You can check for multiple policy names. Example:Element1_trigger=policies:policyname1, policyname2, policyname3:anyWhen checking for multiple names, the default delimiter is a comma. If you have app names that contain commas, you can use any other delimiter except a colon. The delimiter must then be set in the key “delimiter” in the secton [RuleNum]. All the names will be checked with the set status and each match will be added to the report.StatuString Types: ² Applied ² Failed ² Pending ² Sent ² If “reportprofiledetails=yes” then all matching profiles will have their information added to the report. There will be a separate row for each matching profile with the following information. ² ProfileMatchNum (total number of matching profiles) ² ProfileType (Policies for this trigger) ² ProfileName ² PolicyType ² ProfileStatuString ² ProfileLastConnectedAt ² (local time) ² An additional option is available to search for devices where the policy has not been assigned and therefore could have no status. For instance, you need to look for devices where policy name “Level2Security” has not been applied to the device. This could be because the label for the policy was not applied to the device or because more than one security policy is assigned to the device, but “Level2Security” has a lower priority. ² To perform a check for a missing policy, use the following syntax. ² Element1_trigger=policies:YourPolicyName:any:missing ² A policy name must be specified and the status string must be ‘any’.	Examples:Element1_trigger=policies:any:anyElement1_trigger=policies:Default Security Policy:PendingElement1_trigger=policies:Default Security Policy:anyElement1_trigger=policies:any:FailedElement1_trigger=policies:Level2Security:any:missing	There are no Element operator or value keys used for this trigger.
appsettings:appsettingname:statustring	This key checks the AppSettings applied to all devices. This is the list of AppSettings seen in the GUI on the Devices screen when clicking on a single device and expanding the AppSettings category on the far right.PolicyName: Specify the policy name you want to match. To match all profiles use “any”. To match System profiles, be sure to include a leading space because System profiles contain a leading space you may not notice visually. You can check for multiple appsetting names. Example:Element1_trigger=appsettings:appname1,appname2,appname3:anyWhen checking for multiple names, the default delimiter is a comma. If you have app names that contain commas, you can use any other delimiter except a colon. The delimiter must then be set in the key “delimiter” in the secton [RuleNum]. All the names will be checked with the set status and each match will be added to the report.StatuString: Specify the status type of the profile. To match all status types use “any”.StatuString Types: ² Applied ² Failed ² Pending ² Quarantine Revoked ² Sent ² Update Failed ² Update Pending ²   If “reportprofiledetails=yes” then all matching profiles will have their information added to the report. There will be a separate row for each matching profile with the following information. ² ProfileMatchNum (total number of matching profiles) ² ProfileType (AppSettings for this trigger) ² ProfileName ² PolicyType ² ProfileStatuString ² ProfileLastConnectedAt ² (local time)	Examples: Element1_trigger=appsettings:any:any Element1_trigger=appsettings: System - iOS MDM:Pending Element1_trigger=appsettings: System - iOS MDM:any (Note the space between the colon and System for default policies that starte with the work System) Element1_trigger=appsettings:any:Failed	There are no Element operator or value keys used for this trigger.
roaming	This setting determines if a device is roaming or not roaming.For iOS devices, the Registered SIM MNC and Current MNC values are compared to determine if the device is roaming. For some CDMA cellular carriers such as Verizon and Sprint, these values cannot be used. Instead the values Registration Operator Name and Current Operator Name are compared. If roaming cannot be determined using either method, the rule will be skipped for the device.For Android devices, the value device_roaming_flag that returns true or false is checked.	The value key is not utilized with the trigger “roaming.”Example:Element1_trigger=roamingElement1_description=roaming deviceElement1_operator=roaming	roamingnotroaming
roamingset	This setting compares the current time to the last time the roaming settings were set by Assemble. If the time is greater than or less than X hours, the trigger will match.The operators are: 1. greater than If Assemble previously set the roaming voice/data settings for an iOS device, this operator compares the current time with the Assemble timestamp for that setting. If the number of hours is greater than X, the rule will match. less than If Assemble previously set the roaming voice/data settings for an iOS device, this operator compares the current time with the Assemble timestamp for that setting. If the number of hours is less than X, the rule will match. Set If Assemble previously set the roaming voice/data settings for an iOS device, this operator will match. Notset If Assemble has not previously set the roaming voice/data settings for an iOS device, this operator will match.	Element1_trigger= roamingsetElement1_description=roaming settings pushed less than 24 hours agoElement1_operator=less thanElement1_source=localElement1_value=24	greater thanless thansetnotset
*registeredon*This trigger requires a user account with both the API role AND the roles Smartphones Inventory, Policies, and Smartphone Manager Settings.NOTE: Registeredat replaced registeredon in VSP 5.7	Compares the local time/date with the time/date the device was registered with the VSP and returns the number of days.If this trigger is used, the key vspdetails must be set to “yes” in the [RuleNum] section of the INI.	The number of days since the device was registered.Example:Element1_trigger=registeredonElement1_operator=less thanElement1_source=localElement1_value=7This will match all devices registered in the last 7 days.	greater thanless than
*registeredon_datetime*This trigger requires a user account with both the API role AND the roles Smartphones Inventory, Policies, and Smartphone Manager Settings.NOTE: Registeredat replaced registeredon in VSP 5.7	Compares the date/time specified in the value key with the date/time the device was registered with the VSP and returns the number of minutes as a positive or negative number.The date/time value must be expressed in the local time zone on the machine running Assemble in the following format:Year/Month/Day Hours:Minues:SecondsThe time must be in 24 hour format.Example:2012/12/11 22:00:20If this trigger is used, the key vspdetails must be set to “yes” in the [RuleNum] section of the INI.	The number of days since the device was registered.Example:Element1_trigger=registeredon_datetimeElement1_description=record location of iOS devicesElement1_operator=greater thanElement1_source=localElement1_value=2012/12/11 21:40:20This will match all devices registered after 2012/12/11 21:40:20.	greater thanless than
registeredatNOTE: Registeredat replaced registeredon in VSP 5.7	Compares the local time/date with the time/date the device was registered with the VSP and returns the number of days.	The number of days since the device was registered.Example:Element1_trigger=registeredatElement1_operator=less thanElement1_source=localElement1_value=7This will match all devices registered in the last 7 days.	greater thanless than
Registeredat_minutesNOTE: Registeredat replaced registeredon in VSP 5.7	Compares the local time/date with the time/date the device was registered with the VSP and returns the number of minutes.	The number of minutes since the device was registered.Example:Element1_trigger=registeredatElement1_operator=less thanElement1_source=localElement1_value=60This will match all devices registered in the last 60 minutes.	greater thanless than
registeredat_datetimeNOTE: Registeredt replaced registeredon in VSP 5.7	Compares the date/time specified in the value key with the date/time the device was registered with the VSP and returns the number of minutes as a positive or negative number.The date/time value must be expressed in the local time zone on the machine running Assemble in the following format:Year/Month/Day Hours:Minues:SecondsThe time must be in 24 hour format.Example:2012/12/11 22:00:20	The number of days since the device was registered.Example:Element1_trigger=registeredat_datetimeElement1_description=record location of iOS devicesElement1_operator=greater thanElement1_source=localElement1_value=2012/12/11 21:40:20This will match all devices registered after 2012/12/11 21:40:20.	greater thanless than
createdatNOTE: createdat added in VSP 5.7	Compares the local time/date with the time/date the device was created in the VSP and returns the number of days.	The number of days since the device was created.Example:Element1_trigger=createdatElement1_operator=less thanElement1_source=localElement1_value=7This will match all devices created in the last 7 days.	greater thanless than
createdat_datetimeNOTE: createdat added in VSP 5.7	Compares the date/time specified in the value key with the date/time the device was created in the VSP and returns the number of minutes as a positive or negative number.The date/time value must be expressed in the local time zone on the machine running Assemble in the following format:Year/Month/Day Hours:Minues:SecondsThe time must be in 24 hour format.Example:2012/12/11 22:00:20	The number of days since the device was created.Example:Element1_trigger=createdat_datetimeElement1_description=record location of iOS devicesElement1_operator=greater thanElement1_source=localElement1_value=2012/12/11 21:40:20This will match all devices registered after 2012/12/11 21:40:20.	greater thanless than
last_security_state_changed_on	Measures the time in hours since the security state of the device was last changed. The device detail “security_state” indicates if the devices is compromised or non-compromised (rooted/jailbroken). It matches if the amount of hours is greater or less than X hours.	The number of hours since “security_state” changed. Example: Element1_value=24	greater than less than
profileinventory: PayloadOrganizationprofileinventory: PayloadDescriptionprofileinventory: PayloadDisplayNameprofileinventory: PayloadIdentifier	This trigger will look though the content for each iOS profile in the Profile Inventory and match the value of the specified key. That can be viewed in the VSP GUI one iOS device at a time in Users & Devices by choosing an iOS device, expanding iOS, clicking on Profile Inventory and then clicking on View Content for each profile which displays the profile plist contents.The trigger will look for the value of one of the following specified keys:PayloadOrganization ² PayloadDescription ² PayloadDisplayName ² PayloadIdentifier ² The trigger will then look for the value for these keys. In most instances each of these keys will be listed multiple times in the content and Assemble will check each value for a match. ² This trigger is only applicable for iOS devices. Other devices will not match and will be skipped. ² At this time, the profile information is not included in reports.	[RuleNum] numberofrules=1 sleeptime=250 delimeter=, connectedcloud=yes activedevicedownload=label:iOS [Rule1] NumberofElements=2 Action=report ActionReason=app inventory reportsend=yes reportname=linkedin reportlocation=C:\assemble\reports\ reportmessage=linkedin reportvar=uuid,principal,emailAddress,currentphonenumber,manufacturer Element1_trigger=profileinventory:PayloadDescription Element1_description=location services disabled Element1_operator=contains Element1_source=local Element1_value=LinkedIn	containsdoes not containequalsdoes not equal
simchange	Compares the original imsi number “registration_imsi” with the current imsi number“imsi”. Actions can be taken is they changed or not changed.	No values are used for this trigger. Only the registration and current IMSI numbers for the device are compared.	changenochange
time	Checks the current time and compares to the trigger time. Actions can be taken if the statement is true.	Hour and minutes in 24 hour format. A single digit hour must be preceded by a zero. Example: Element1_value=08:30	greater than less than
All other device details	Checks the device details with the same name. Some device details have white spaces that must be removed (i.e. “iPhone UDID” should be changed to “iPhoneUDID”. Actions can be taken if the statement is true	Vary by device details. Examples: Element1_trigger=security_state Element1_value=0 (iOS compromised) Element1_trigger=security_state Element1_value=Compromised (Android compromised) Element1_trigger=device_manufacturer Element1_value=Apple Element1_trigger=Samsung_DM Element1_value=FW: Key2,1 SW:1.0	does not contain containsdoes not equal*equalsThe operator equals can also be used for the value “NotFound” to allow for taking actions if a key does not exist. This was added specifically for the key “Samsung_DM” which indicates a device is a Samsung SAFE device. If the device is not a Samsung SAFE device the value will return “NotFound”.*greater than*less thanThe operators greater than and less than can only be used for numerical values. Any device value with letters will be skipped. Numbers with dot notation such as OSVersion (i.e. 6.2.1) can be used.*reverse containsThe operator “contains” checks if the device value contains the element value. “Reverse contains” checks if the element value contains the device value.

ActiveSync Triggers

Trigger	Description	Values	Operators
actionsource	The source of the ActiveSync allow or block action for the device.	AutoBlock: The allow/block status of the device was set by the Auto Block Unregistered Devices in the Sentry preferences.Exchange: The device was allowed access by a VSP Exchange policy.Manual: The device was allowed/blocked by a manual action in the ActiveSync Devices page of the VSP.Policy: The device was allowed/blocked by a Security Policy compliance action.Example:Element1_trigger=actionsourceElement1_description=autoblocked deviceElement1_operator=containsElement1_source=localElement1_value=autoblock	containsdoes not contain
activesyncstatus	Indicates is the device is currently allowed or blocked from ActiveSync by the Sentry.	Allowed: The device is allowed to sync with ActiveSync.Blocked: The device is blocked from syncing with ActiveSyncExample:Element1_trigger=activesyncstatusElement1_description=blocked deviceElement1_operator=containsElement1_source=localElement1_value=blocked	containsdoes not contain
devicehistory:new	Indicates if the device entry existed during the last Assemble run. The key “activesynchistory=yes” must be set in the section [RuleNum] for this trigger to function.	No values needed for this trigger.Example:Element1_trigger=devicehistory:newElement1_description=autoblocked device	N/A
deviceid	Matches the DeviceID recorded by the Sentry.	Example:Element1_trigger=deviceidElement1_description=manualElement1_operator=equalsElement1_source=localElement1_value=ApplDMPHW87XDVD1	containsdoes not containequalsdoes not equal
lastSyncTime_days	Matches devices by the number of days since the Last Sync Time timestamp	Element1_trigger=lastSyncTime_daysElement1_description= last sync over 90 day agoElement1_operator=greater thanElement1_source=localElement1_value=90	greater than
mailboxid	The mailboxid of the user. Examples: ² jsmith ² domain/jsmith [email protected]	Any string is allowed that will match the mailboxid.	containsdoes not containequalsdoes not equal
devicemodel	The DeviceModel string for the device. This value is the same that shows up as DeviceModel in the details for the devices in ActiveSync associations.Examples: ² iPhone ² Enterproid SecuredMIAndroidEmailDivide SAMSUNGSMN900A	Any string is allowed that will match the DeviceModel.	containsdoes not containequalsdoes not equal
devicetype	The DeviceType string for the device. This value is the same that shows up as DeviceType in the details for the devices in ActiveSync associations.Examples: ² iPhone ² Enterproid ² SecuredMIAndroidEmailDivide ² SAMSUNGSMN900A	Any string is allowed that will match the DeviceType.	containsdoes not containequalsdoes not equal
domain	Matches the domain column for entried on the ActiveSync Associations page.	Example:Element1_trigger=domainElement1_description=match devices with domain "Standalone(Proxy)"Element1_operator=containsElement1_source=localElement1_value=Standalone	containsdoes not containequalsdoes not equal
platform	The operating system of the ActiveSync device.	AndroidiOSOther: OS cannot be identifiedWindows Phone 7Windows Phone 8Example:Element1_trigger=platformElement1_description=Windows 7 deviceElement1_operator=containsElement1_source=localElement1_value=Windows Phone 7	containsdoes not contain
status	Indicates if the device is Registered or Unregistered.	Registered: The device is registered with the VSP.Unregistered: The device is not registered with the VSPExample:Element1_trigger=statusElement1_description=registered deviceElement1_operator=equalsElement1_source=localElement1_value=registered	containsdoes not containequalsdoes not equal
useragent	The DeviceUserAgent string for the device. This value is the same that shows up as DeviceUserAgent in the details for the devices in ActiveSync associations.Examples: ² Apple-iPad2C7/1104.167 ² SecuredMIiOSEmail/1.90.8 ² SecuredMIAndroidEmailDivide/1.70.4.15-pim-mi SAMSUNG-SM-N900A/101.40402	Any string is allowed that will match the DeviceUserAgent.	containsdoes not containequalsdoes not equal

Actions

Action	Description	Values
applylabel	Applies a label to the device.	Example: Action=applylabel:corporateowned
removelabel	Removes a label from the device.	Example: Action=removelabel:sales
syslog	Sends details for a device that matches in a syslog message.Note: A syslog message can be sent with any other action by setting syslogsend=yes.	Example: Action=syslog
report	Send details for a device that matches to a CSV report.Note: A report can be created with any other action by setting reportsend=yes.	Example: Action=report
*reprovision*This action requires a user account with both the API role AND the roles Smartphones Inventory, Policies, and Smartphone Manager Settings	Reprovisions matching devices. This is the equivalent of choosing More Actions->Reprovision Device in the All Smartphones/Devices screen of the VSP.Reprovisioning for active iOS devices is supported by the VSP. Reprovisioning for active Android devices is not valid and can only be used with Pending Android devices.	Example:Action=reprovision
retire	Retires the device from MDM control and performs a selective wipe. Utilizes the INI key ActionReason when sending wipe command to the VSP.	Example: Action=retire
wipe	Performs a full device wipe to factory defaults. Utilizes the INI key ActionReason when sending wipe command to the VSP.	Example: Action=wipe
activesync	Blocks or reinstates ActiveSync access via the MobileIron Sentry. An ActiveSync wipe command can also be sent to the device.Note: When using the actions activesync:reinstate or activesync:remove, those actions usually need to be performed only on devices that were blocked during a previous Assemble run and are now in compliance. To avoid sending reinstate or remove actions to all ActiceSync devices and only target those previously blocked by Assemble, set the key “activesyncactionhistory=yes” in the section [RuleNum]. Assemble will then skip over devices that were not blocked by Assemble during previous runs even if thousands of devices match the Assemble rule.VSP 5.5 Note: The action activesync:block does not work with VSP 5.5 due to an API problem. Use the action activesync:blockalt which uses an alternative method for blocking ActiveSync devices. That action requires an Assemble user account with both the API role AND the roles Smartphones Inventory, Policies, and Smartphone Manager Settings	Examples:activesync:blockactivesync:reinstateactivesync:wipe*activesync:remove*activesync:blockalt*This action requires a user account with both the API role AND the roles Smartphones Inventory, Policies, and Smartphone Manager Settings
activesync:assignpolicy;policyname	Assigns an ActiveSync policy to the device.This action requires the key “activesyncpolicyid=yes” in the section [RuleNum].	Example:Action=activesync:assignpolicy;UnregisteredDevicePolicy
lock	Sends a lock command to the device. This locks the screen. If a password/passcode is set the user will have to enter it to unlock the screen	Example:Action=lock
unlock	This action is only supported on Android and iOS devices. Unlocking the device clears its passcode.Notes:• This function does not apply to Android devices locked using face or pattern locks.• Because the MobileIron app cannot remove the passcode on an encrypted Android device, the Unlock command sets the passcode to "un!ockm3!" on encrypted devices.• On Android devices using AppConnect apps, unlock also removes the secure apps passcode.For details, see “Lock, unlock, and retire impact on AppConnect for Android” in the admin guide for Core.	Example:Action=unlock
location:record	This records the following location information for the device in location_history.ini:[UUID]principal=principal(username)emailAddress=emailaddressemployeeOwned=true or falsemanufacturer=device manufacturermodel=device modelphoneNumber=device phone numberplatform=OS and versionuserDisplayName=user display namelocation_1_time=time stamp of last reported locationlocation_1_lat_long=-latitude,longitude of last reported locationlocation_1_locationaddress=street address of last reported locationlocation_1_maplink=Google Maps hyperlink for last reported locationThis information can be used to create a report of the last X number of reported locations. The number of location recorded is dependent on the setting “location_history_entries” in the section [RuleNum].See Location History Report for instruction on creating a location history report.	Example:Action=location:record
message	Sends messages as a primary action. In previous Assemble versions sending push, SMS or email messages were only secondary actions.	Example:Action=message
*ownership:corporate|employee*This action requires a user account with both the API role AND the roles Smartphones Inventory, Policies, and Smartphone Manager Settings	Changes the ownership of the device to corporate or employee. If the device is already classified as such the action will be ignored.If the action changes, the built in label company-owned or employee owned will be applied and the opposing label will be removed.	Example:Action=ownership:corporate
pushprofile:name:all|matching	When set as “pushprofile:name:all” this action pushes all profiles to all matching iOS devices. Non-iOS devices will be skipped for this action because pushing profiles for other operating systems is not supported. This automates the action of choosing a single iOS device in Users & Devices -> Devices, clicking Push Profiles, choosing all profiles and clicking Push Profile.NOTE: If an Exchange policy is pushed, it will first be pulled from the device before being applied. This will wipe email from the device and force a re-sync. Most policies will not be applied until the device is unlocked.When set as “pushprofile:name:matching” this action pushes only the profile to devices matching the trigger “profile:profilename:statustring”.Example:[Rule1]NumberofElements=1Action=pushprofile:name:matchingActionReason=System - iOS MDM is Pending reportingreportsend=yesreportname=iOSMDMPendingReportreportlocation=C:\assemble\reports\reportmessage=iOS MDMPendingReportreportvar=uuid,principal,currentphonenumber,emailaddress,manufacturer,ModelName,model_universalreportprofiledetails=yesElement1_trigger=profile: System - iOS MDM:PendingElement1_description=System - iOS MDM is Pending	Examples:Action=pushprofile:name:allAction=pushprofile:name:matching
roaming_voice_data:true|false:true|false	Enables or disables voice and/or data roaming on iOS devices. Not all iOS devices voice roaming settings can be controlled. This varies between cellular carriers and iOS versions. If voice roaming cannot be changed, the logs will reflect this limitation with the following entry.Current Voice Roaming Setting: N/AThe settings for this action for voice and data are separated by a colon. Both are must be set with true or false. roaming_voice_data:voicesetting:datasettingIf the desired action cannot be applied to the device because it is not supported (i.e. disabling voice roaming), the action will not be taken. If the desired action matches the current setting on the device (i.e. disable data roaming when data roaming is already disabled), the action will not be taken.	Example:roaming_voice_data:true:false
*multiusersignout*This action requires a user account with both the API role AND the roles Smartphones Inventory, Policies, and Smartphone Manager SettingsThis action is only supported in VSP 5.1 and higher.	Utilizes the multiuser feature introduced in 5.1 to signout the user from the device which removes the user’s policies and specified managed apps from the device.	Example:Action=multiusersignout
*Found*This action requires a user account with both the API role AND the roles Smartphones Inventory, Policies, and Smartphone Manager Settings	This action changes the status of a device from Lost to Active.This action also requires the key setting “activedevicedownload=LOST” be included in the [RuleNum] section to allow Assemble to download a list of all the devices with the status LOST.	Example:Action=found
*Lost*This action requires a user account with both the API role AND the roles Smartphones Inventory, Policies, and Smartphone Manager Settings	This action changes the status of a device from Active to Lost.	Example:Action=lost
*comment*This action requires a user account with both the API role AND the roles Smartphones Inventory, Policies, and Smartphone Manager Settings	This action edits the comment for the device in the VSP GUI.The key commentstring must also be set.The comment can also include any device variable values by setting the key “commentvar” in the [RuleNumX] section. Just like the key “reportvar”, any device variables can be included.Example:action=commentcommentstring=mycommentcommentvar=principal,serialnumberIn this example, the comment string that will be added will be in the following format:mycomment;jsmith;DNQJR80NDTTQ: 2013-04-19 10:54	Example:Action=comment
samsung_kiosk:enable|disable	This action will enable or disable kiosk mode on Samsung SAFE devices with a Kiosk policy applied. This action is the same going into Actions and choosing Enable Samsung Kiosk ir Disable Samsung Kiosk in the Devices screen of the VSP.	Example:Action=samsung_kiosk:enable
delete*supported in VSP/Core version 7.0 and higher	This key will delete matching retired devices from the VSP/Core appliance. If the device status is not “RETIRED”, Assemble will ignore the device action.The Assemble account must have the role “Delete retired device (API only)”. You must also specify the account’s Admin Space ID in the key “adminDeviceSpaceID” in the section [RuleNum]. The ID for the default VSP/Core Global space is “1” and is also the default setting for the key “adminDeviceSpaceID”.Note: The devices are deleted only if they have been retired for more than one day (24 hours).	Example:Action=delete
compliancecheck	This updates the compliance status of matching devices without waiting for the scheduled compliance check to run.	Example:Action=compliancecheck

Alternative Actions

Alternative actions are used in place of the primary action during a specified time or repetition interval.

Example:

If a device is found to be on the wrong version of iOS and needs to be upgraded, Assemble can be configured to warn the user with a push message for X hours using an alternative action. Each time Assemble runs, it will check if the device is still running the wrong version. If it is, Assemble will continue to warn the user until X hours have elapsed. Once the set interval has elapsed, the primary action will be taken such as block ActiveSync.

The intervals available are minutes, hours and repetitions.

Action	Description	Values
alt_id	The key alt_id is the unique identifier for tracking alternative action intervals and must be unique for each rule. It can be set with any alphanumeric string. If multiple Assemble rule files are in use, the alt_id must be unique across all rule INI files.	Examples:alt_id=rules.ini_rule1alt_id=1245
alt_interval	The key alt_internal determines the time or repetitions to apply the alternative actions and settings for matching devices.The available intervals are minutes, hours and repetitions (Assemble runs).Once the interval has been exceeded, the primary action will be applied. The alternative action will not ever be applied again once the interval has been exceeded, unless the key alt_exceeded_interval is set.The intervals are recorded for each device in the file devicehistory.ini.	Example:alt_interval=minutes:60alt_interval=hours:48alt_repetitions:5
alt_exceeded_interval	This optional key determines the how long the alternative action is ignored once it has exceeded its interval.The available intervals are minutes, hours and repetitions (Assemble runs).Once the interval has been exceeded, the alternative action and its interval will once again be applied. This essentially resets the alternative action interval.The intervals are recorded for each device in the file devicehistory.ini.	Example:alt_exceeded_interval=hours:168
alt_action	See the primary key with the same name in Actions.
alt_wakeup	See the primary key with the same name in Actions.
alt_sendmessage	See the primary key with the same name in Actions.
alt_sendmessagetext	See the primary key with the same name in Actions.
alt_message_days	This key will skip sending messages to devices and only send messages to devices on specific days when using alternative actions and the action is set to "message". The use case for this key is to send warning compliance messages to devices during the alternative action time interval only on specific days instead of every time Assemble is run.	alt_message_days=0,5,15
alt_actionreason	See the primary key with the same name in Actions.
alt_sendmessagesms	See the primary key with the same name in Actions.
alt_sendmessagesmstext	See the primary key with the same name in Actions.
alt_sendmessageemail	See the primary key with the same name in Actions.
alt_sendmessageemailtext	See the primary key with the same name in Actions.
alt_sendmessageemailsubject	See the primary key with the same name in Actions.
alt_reportsend	See the primary key with the same name in Actions.
alt_reportmessage	See the primary key with the same name in Actions.
alt_syslogsend	See the primary key with the same name in Actions.
alt_syslogmessage	See the primary key with the same name in Actions.
alt_syslognotice	See the primary key with the same name in Actions.
alt_SendMessageSMTPEmail	See the primary key with the same name in Actions.
alt_SendMessageSMTPEmailText	See the primary key with the same name in Actions.
alt_SendMessageSMTPEmailSubject	See the primary key with the same name in Actions.

ActiveSync Rule Actions

Action	Description	Values
activesync:block,reinstate,remove or wipe	Block: Block the device from syncing with ActiveSync via Sentry.Reinstate: Allow the device to sync with ActiveSync via Sentry.Wipe: Sent a command for a full device wipe via an ActiveSync command via Sentry.	Example:Action=activesync:block
activesync:assignpolicy;policyname	Assigns an ActiveSync policy to the device.This action requires the key “activesyncpolicyid=yes” in the section [RuleNum].	Example:Action=activesync:assignpolicy;UnregisteredDevicePolicy
message	Send a message to the email address of the device user and/or the administrator with the following device details.Username: John SmithMailboxID: jsmithEmail Address: [email protected]: iPhone3C3DeviceID: ApplC8QF934GDDZ3Platform: iOSPlatformCode: 11Status: UnregisteredActiveSyncStatus: BlockedActionSource: AUTOBLOCKThe SMTP settings in the VSP ini file must be configured. The desired “SendSMTP” settings must also be configured (see Section: [ASRuleX]. Section: [RuleNum] In test mode SMTP messages to individual devices if set will only be logged and not sent, but the administrator SMTP messages if set will be sent.	Example:[RuleNum]numberofrules=0numberofrules_as=1sleeptime=20delimeter=,activesynchistory=yes[ASRule1]NumberofElements=1Action=messageSendSMTP=yesSendSMTPDomain=@mobileiron.comSendSMTPFromAddress=assemble@mobileiron.comSendSMTPFromName=AssembleSendSMTPSubject=Assemble:Blocked ActiveSync DeviceSendSMTPImportance=HighSendSMTPAdmin=yesSendSMTPAdminFromAddress=assemble@mobileiron.comSendSMTPAdminFromName=AssembleSendSMTPAdminToAddress=jsmith@mobileiron.comSendSMTPAdminSubject=Assemble:Blocked ActiveSync DevicesSendSMTPAdminImportance=HighElement1_trigger=activesyncstatusElement1_description=autoblocked deviceElement1_operator=containsElement1_source=localElement1_value=blockedElement2_elementoperator=ANDElement2_trigger=actionsourceElement2_description=autoblocked deviceElement2_operator=containsElement2_source=localElement2_value=autoblockElement3_elementoperator=ANDElement3_trigger=devicehistory:newElement3_description=autoblocked device

Assemble.log

Below is a sample taken from the Assemble log file. Assemble logs are named assemble_timestamp.log (i.e. assemble_2012_08_25_08_17_56.log)

2012-02-18 19:10:13 : ===== BEGIN =====

2012-02-18 19:10:13 : INI File: vsp.ini

2012-02-18 19:10:13 : Rule File: rules.ini

2012-02-18 19:10:15 :

2012-02-18 19:10:15 :

2012-02-18 19:10:15 : *****Device 1 Of 27*****

2012-02-18 19:10:15 : Device 1 UUID: 63661bdc-a82b-4469-8789-53a48f2d6f22

2012-02-18 19:10:15 : Device 1 Principal: jgonzalez

2012-02-18 19:10:15 : Device 1 EmailAddress: [email protected]

2012-02-18 19:10:15 : Device 1 LastConnectedAt: NotFound

2012-02-18 19:10:15 : Device 1 Model: NotFound

2012-02-18 19:10:15 : Device 1 Name: jgonzalez:iOS 5.0:647455890

2012-02-18 19:10:15 : Device 1 PhoneNumber: 647455811

2012-02-18 19:10:15 : Device 1 Platform: iOS 5.0

2012-02-18 19:10:15 : Device 1 UserDisplayName: Jose Gonzales

2012-02-18 19:10:15 : ====Rule 1 Of 1====

2012-02-18 19:10:15 : -----Begin Elements-----

2012-02-18 19:10:15 : Element 1 Trigger: distance

2012-02-18 19:10:15 : Element 1 Description: device is too close to the building

2012-02-18 19:10:15 : Element 1 Operator: greater than

2012-02-18 19:10:15 : Element 1 Source: local

2012-02-18 19:10:15 : Element 1 Value: 33.784337,-118.141544

2012-02-18 19:10:15 : Element 1 Distance: 100

2012-02-18 19:10:15 : Element 1 Distance Max Location Age: 800

2012-02-18 19:10:15 : Device 1 Location: 40.340028,-3.769741

2012-02-18 19:10:15 : Device 1 Location Captured At(Epoch Time): 1329614733775

2012-02-18 19:10:15 : Device Location Captured At (UTC Time): 2012/02/19 01:25:33

2012-02-18 19:10:15 : Device Location Captured At (Local Time): 2012/02/18 17:25:33

2012-02-18 19:10:15 : Device Location Captured X Hours ago: 1

2012-02-18 19:10:15 : Distance from Base Latitude/Longitude (meters): 9378753.54540685

2012-02-18 19:10:15 : Match Type: distance Match

2012-02-18 19:10:15 : distance Rule: greater than

2012-02-18 19:10:15 : Match: Rule Match

2012-02-18 19:10:15 : Element 2 Element Operator: AND

2012-02-18 19:10:15 : Element 2 Trigger: time

2012-02-18 19:10:15 : Element 2 Description: business hours

2012-02-18 19:10:15 : Element 2 Operator: greater than

2012-02-18 19:10:15 : Element 2 Source: local

2012-02-18 19:10:15 : Element 2 Value: 08:30

2012-02-18 19:10:15 : Trigger Time: 08:30

2012-02-18 19:10:15 : Current Time: 19:10

2012-02-18 19:10:15 : Match Type: time Match

2012-02-18 19:10:15 : time Rule: greater than

2012-02-18 19:10:15 : Match: Rule Match

2012-02-18 19:10:15 : Element 3 Element Operator: AND

2012-02-18 19:10:15 : Element 3 Trigger: time

2012-02-18 19:10:15 : Element 3 Description: business hours

2012-02-18 19:10:15 : Element 3 Operator: less than

2012-02-18 19:10:15 : Element 3 Source: local

2012-02-18 19:10:15 : Element 3 Value: 23:30

2012-02-18 19:10:15 : Trigger Time: 23:30

2012-02-18 19:10:15 : Current Time: 19:10

2012-02-18 19:10:15 : Match Type: time Match

2012-02-18 19:10:15 : time Rule: less than

2012-02-18 19:10:15 : Match: Rule Match

2012-02-18 19:10:15 : Element 4 Element Operator: AND

2012-02-18 19:10:15 : Element 4 Trigger: day

2012-02-18 19:10:15 : Element 4 Description: saturday

2012-02-18 19:10:15 : Element 4 Operator: does not equal

2012-02-18 19:10:15 : Element 4 Source: local

2012-02-18 19:10:15 : Element 4 Value: 7

2012-02-18 19:10:15 : Trigger Day: 7

2012-02-18 19:10:15 : Current Day: 7

2012-02-18 19:10:15 : Match Type: day Match

2012-02-18 19:10:15 : day Rule: does not equal

2012-02-18 19:10:15 : Match: No Rule Match

2012-02-18 19:10:15 : Element 5 Element Operator: OR

2012-02-18 19:10:15 : Element 5 Trigger: day

2012-02-18 19:10:15 : Element 5 Description: sunday

2012-02-18 19:10:15 : Element 5 Operator: does not equal

2012-02-18 19:10:15 : Element 5 Source: local

2012-02-18 19:10:15 : Element 5 Value: 1

2012-02-18 19:10:15 : Trigger Day: 1

2012-02-18 19:10:15 : Current Day: 7

2012-02-18 19:10:15 : Match Type: day Match

2012-02-18 19:10:15 : day Rule: does not equal

2012-02-18 19:10:15 : Match: Rule Match

2012-02-18 19:10:15 : -----End Elements-----

2012-02-18 19:10:15 : Combined Element Results : 1:1:1:0:1

2012-02-18 19:10:15 : Combined Element Forumla : 1 AND 1 AND 1 AND 0 OR 1

2012-02-18 19:10:15 : Combined Element Formula Result: True

2012-02-18 19:10:15 : Combined Element Formula Result: Taking Action

2012-02-18 19:10:15 : Action: applylabel:buildingproximity

2012-02-18 19:10:15 : ActionReason: too far to the building

2012-02-18 19:10:15 : WakeUp: yes

2012-02-18 19:10:15 : SendMessage: no

2012-02-18 19:10:15 : ApplyLabel Value: 63661bdc-a82b-4469-8789-53a48f2d6f38,

2012-02-18 19:10:15 :

2012-02-18 19:10:15 :

2012-02-18 19:10:15 : *****Device 2 Of 27*****

2012-02-18 19:10:15 : Device 2 UUID: 1b9fb82e-d811-42ca-853c-444047222e0a

2012-02-18 19:10:15 : Device 2 Principal: ahejnar_local

2012-02-18 19:10:15 : Device 2 EmailAddress: [email protected]

2012-02-18 19:10:15 : Device 2 LastConnectedAt: 2012-01-17T22:00:55+00:00

2012-02-18 19:10:15 : Device 2 Model: NotFound

2012-02-18 19:10:15 : Device 2 Name: ahejnar_local:Android 2.3:9728979121

2012-02-18 19:10:15 : Device 2 PhoneNumber: 9728979121

2012-02-18 19:10:15 : Device 2 Platform: Android 2.3

2012-02-18 19:10:15 : Device 2 UserDisplayName: Andrew Hejnar Local

2012-02-18 19:10:15 : ====Rule 1 Of 1====

2012-02-18 19:10:15 : -----Begin Elements-----

2012-02-18 19:10:15 : Element 1 Trigger: distance

2012-02-18 19:10:15 : Element 1 Description: device is too close to the building

2012-02-18 19:10:15 : Element 1 Operator: greater than

Device Details

Common Detail Descriptions

The following table shows the details common to all devices..

Detail Name	Description	Value Example
deviceid	The unique internal Core numerical id for the device.	212
uuid	Unique identifier for the device.	8d711cdc-e93c-49b1-88d6-222f54132445
principal	User ID for the user of the device. This corresponds to the user ID in the VSP SmartPhone Manager, as seen in SmartPhones & Users | User Management.	jdoe
blockReason	A bitmap value that lists the reasons, if any, that the device is blocked from accessing the ActiveSync server. The possible values are described in 5.2 Compliance, quarantinedStatus, and blockReason values of the MobileIronWebServiceAPI PDF.	0
clientId	For VSP internal use.	1073741831
comment	Comment entered by the administrator.	comment for the device
compliance	A bitmap value that lists the reasons, if any, that the device is out of compliance with its security policy. The possible values are described in 5.2 Compliance, quarantinedStatus, and blockReason values of the MobileIronWebServiceAPI PDF.	0
countryCode	Country code for the device.	1
countryId	Country identifier for the device. VSP assigns this identifier to the country.	183
countryName	Country name for the device.	United States
currentphoneNumber Note:The detail name was changed from phoneNumber in VSP 5.x to currentphonenumber	The phone number entered by the user or administrator during registration.	4085551212
easLastSyncAttempt	Time of the last attempt the device made to synchronize with Exchange ActiveSync.	2012-01-10T20:36:57+00:00
easUuid	Exchange ActiveSync device id.	4d22d6d7-29dc-4c35-8e67-23dee442cf85
emailAddress	The user’s email address as entered during registration.	[email protected]
emailDomain	Email domain of the operator for the device.	txt.att.net
employeeOwned	true - the employee owns the device. false - the enterprise owns the device. The value is set during registration and the administrator can change it.	false
homeOperator	The service operator for the device when it is not roaming.	Verizon
languageCountryId	The unique identifier for the country associated with the language used on the device. For example, there would be a different ID for a Canadian French language device when compared to a device from France. The VSP assigns this identifier to the country.	0
languageId	The unique identifier for the language used on the device.	1
lastConnectedAt	The date and time that the device last made successful contact with the MobileIron server. For iOS devices that have iOS MDM enabled, this value is the time of the last iOS MDM checkin.	2011-07-08T01:52:33+00:00
manufacturer	The device manufacturer as automatically reported by the device during registration.	Research In Motion
mdmManaged	Indicates that the MDM profile is enabled on the device. This field applies only to iOS devices. For other devices, the value is always false.	false
mdmProfileUrlId	VSP internal ID for its iOS MDM profile information.
*modelUse model_universal	The model of the device as reported by the device during registration.	8130
name	The concatenated name used to identify the device/user combination.	jdoe:ios:4085551212
notifyUser	true indicates the user should be notified via SMS and email during registration. false indicates the user should not be notified. The notification consists of the principal name, platform, and phone number.	true
operator	Service provider for the device. The value PDA indicates no operator is associated with the device.	AT&T
operatorId	Identifier of the operator for the device. VSP assigns this identifier to the operator.	269
phoneNumberNote:The detail name was changed in VSP 5.x to currentphonenumber	The phone number entered by the user or administrator during registration.	4085551212
platform	String indicating the platform installed on the device. The string is specified during registration.	iOS
platformType	String indicating the platform name reported by the device.	iOS
quarantinedStatus	A bitmap value that lists the reasons, if any, that the device is quarantined. When a device is quarantined, its configurations (that is, profiles) have been removed due to violations with its security policy. The possible values are described in 5.2 Compliance, quarantinedStatus, and blockReason values of the MobileIronWebServiceAPI PDF.	0
*registeredon	The date/time the device was registered with the VSP. This value is translated into local time.If this variable is used, the key vspdetails must be set to “yes” in the [RuleNum] section of the INI.*This variable requires a user account with both the API role AND the roles Smartphones Inventory, Policies, and Smartphone Manager Settings.	5/14/2012 2:36:40 AM
registeredatNOTE: Registeredat replaced registeredon in VSP 5.7	The date/time the device was registered with the VSP. This value is translated into local time.If this variable is used, the key vspdetails must be set to “yes” in the [RuleNum] section of the INI.	5/14/2012 2:36:40 AM
status	String indicating the current status of the device with regard to registration and connection. For valid values, see Status field above.	ACTIVE
statusCode	Numeric code defined for the status. See list of valid values above.	97
userDisplayName	The concatenation of the user’s first name and last name as defined during registration.	Joe Doe
userFirstName	User’s first name as defined during registration.	Joe
userLastName	User’s last name as defined during registration.	Doe
userSource	Value 76 for a Local user. Value 68 for an LDAP user. Note: 76 is the value of ASCII ‘L’, which stands for Local. 68 is the value of ASCII ‘D’, which stands for Directory (LDAP).	76
userUUID	Internal user ID.	de398fcb-a3a4-412c-a1dd-9be8bd46e728
iPhoneVersion	Version number of iPhone.	8J2

Android Details Key-Value Descriptions

The following table shows the key-value pairs in the <details> element for Android devices. The set of key-value pairs and the order they appear in the response can vary according to the type of device. Therefore, the table presents the pairs in alphabetical order by the key name.

If a key-value pair is not applicable for a device, typically the HTTP response does not include the pair.

The VSP Admin Guide has more information about fields that are available in the VSP Admin Portal.

Key Name	Key Description	Value
admin_activated	Whether device administrator privilege is activated for the MobileIron client on the device.	truefalse
battery_life	Power remaining in the battery life.	The percentage of power remaining in the battery.Example: 100
board	The name of the underlying board on the Android device.	A name that the Android OS provides.Example: venus2
brand	The brand (e.g., carrier) the Android software is customized for, if any.	A string that the Android OS provides.Example: verizon
c2dmToken	Android C2DM registration ID for the device.	A string of characters
client_name	Name of MobileIron client application on the device.	Example: com.mobileiron
client_version	MobileIron client version number running on the device.	Example: 4.5.0
codename	Android platform’s current development codename, or the string "REL" if this is a release build.	Example: REL
country_code	The device’s Mobile Country Codes (MCCs). MCCs are defined in ITU E.212.	Example for United States: 310
current_mobile_number	Phone number of the device	Example: 4089925779
current_operator_name	Name of current registered operator.	Example: Verizon Wireless
current_SIM_module_number	International Mobile Subscriber Identity number for the device.	Example: 3100044085983632
device	The name of the industrial design of the device.	A string that the Android OS provides.Examples: cdma_droid2cdma_shadow
device_id	Unique identifier for the device	Example: ddc865b69c13eeb4
device_manufacturer	Manufacturer of the device.	Example: motorola
device_model	Model of the Android device	Example: DROID2
device_roaming_flag	Whether the device is roaming.	on – The device is roaming.off -- The device is not roaming.
device_type	Whether the device uses CDMA or GSM technology to transmit voice calls. If the device does not transmit voice calls, this fields whether the device uses CDMA or GSM technology is transmit data.	CDMA or GSM
display_size	Size of the device’s display	Dimensions in pixels, in the format:<height>X<width>Example: 854X480
free_media_card_size	Amount of unused storage on the media card on the device.	Number in bytesExample: 2.36M
free_media_card_size_bytes	Amount of unused storage on the media card on the device.	Number in bytesExample: 104857000
free_ram_size	Amount of RAM available on the device.	Number of megabytes, shown with M suffix.Example: 5.84M
free_ram_size_bytes	Amount of unused RAM memory on the device.	Number in bytes.Example: 104857000
free_storage_size	Amount of unused storage on the device	Number in bytesExample: 6489.68M
free_storage_size_bytes	Size of unused storage on the device.	Number in bytes.Example: 104857000
home_operator	Home service provider for the device	The service provider name, mobile country code and mobile network code of the provider in the following format:<name>::<MCC+MNC> Example: Verizon::310004
imei	International Mobile Equipment Identity of the device.	Example: A00000226EBF9F
imsi	International Mobile Subscriber Identity number for the device.	Example: 3100044085983632
incremental	Android platform version’s build number.	Example: 110719
kiosk_enabled	Indicates is kiosk mode is enabled on the device. The value is true or false.	Example:true
kiosk_user	Shows the username for the current Samsung kiosk user if multi-user is enabled in the VSP Kiosk policy applied to the device.	Examples:N/Ajsmith
lat_long_last_captured_at	The last time the location of the device was recorded.	Specified as seconds since January 1, 1970.Example: 1324421860972
latitude	Latitude of the device’s location.	Degrees latitude.Example: 37.396074
locale	Locale for the device	Examples: en-US en
longitude	Longitude of the device’s location.	Degrees longitudeExample: -122.056339
mdm_enabled	Whether the MobileIron client is fully configured on the device.Note: The MobileIron client can be installed and running, but still unable to manage the device if it is not fully configured.	true – The MobileIron client is fully configured. false – The MobileIron client is not fully configured.
multi_mdm	Whether multiple Device Admin applications are active on the device.	true – More than one Device Admin application are active.False – One or zero Device Admin Applications are active.
network_id	CDMA network identification number.	Example: 6
os_version	The Android SDK version code	Example: 10The value 10 corresponds to Android 2.3.3. Values are defined on http://developer.android.com.
platform_name	Android platform version number on the device.	Example: 2.3.3
processor_architecture	Processor architecture of the device.	armeabi-v7a
prv_bluetooth	Whether the lockdown policy for the device has disabled access to Bluetooth.	ON – Access to Bluetooth is enabled for both audio and data.AUDIO – Access to Bluetooth is enabled for audio only.OFF – Access to Bluetooth is disabled.unsupported – The MobileIron client does not support enabling or disabling Bluetooth on the device.
prv_camera	Whether the lockdown policy for the device has disabled access to the camera.	ON – Access to the camera is enabled.OFF – Access to the camera is disabled.unsupported – The MobileIron client does not support enabling or disabling the camera on the device.
prv_device_encryption	Whether the security policy for the device has enabled data encryption on the device.	on – Device encryption is enabled.off -- Device encryption is not enabled.unsupported – The MobileIron client does not support enabling or disabling data encryption on the device.
prv_exchange_Domain	Domain of the email server of the device’s user.	Email server domain.For example: MOBILEIRONIf the email client is not yet configured, the value is na.If the email client is not supported by MobileIron, then the response does not include this key-value pair.
prv_exchange_Serverfree_media_card_size	Email server for the device’s user.	Email server address.For example: mail.mobileiron.comIf the email client is not yet configured, the value is na.If the email client is not supported by MobileIron, then the response does not include this key-value pair.
prv_exchange_UserName	Email user name of the device’s user.	Email user name.For example: [email protected]If the email client is not yet configured, the value is na.If the email client is not supported by MobileIron, then the response does not include this key-value pair.
prv_exchange_UseSSL	Whether email transport uses Secure Socket Layer.	ON – Email uses the Secure Socket Layer. The value is ON if MobileIron supports the email client and the email client is configured.If the email client is not yet configured, the value is na.If the email client is not supported by MobileIron, then the response does not include this key-value pair.
prv_kiosksettings	The name of the kiosk app settings policy applied to the device.	Example:CompanyXKioskSettings
prv_kioskpolicy	The name of the kiosk policy applied to the device.	CompanyXKioskPolicy
prv_max_failed_attempts	Maximum number of times the user can enter an incorrect password before the device is wiped.	The maximum number, or the value 0 if no maximum exists.This value is applicable only if prv_password_type indicates that a password is mandatory.
prv_max_idle_time	Maximum time the device can be inactive before the user must re-enter the password.	Number of minutesExample: 30This value is applicable only if prv_password_type indicates that a password is mandatory.
prv_password	Whether both of the following conditions are true: - A password is mandatory for the user to access the device, as specified in the device’s security policy. - The device is compliant with the security policy.	ON – Both conditions are true. OFF – One or both of the conditions are not true.
prv_password_expiration_timeout	Numbers of days after which the device’s password will expire.	The number of days, or the value unsupported if a password is optional.Example: 30This value is applicable only if prv_password_type indicates that a password is mandatory.
prv_password_history_length	Number of passwords remembered to ensure that the device’s user define a different password. For example, the value 4 prevents the user from repeating a password for the next four password changes.	A number, or the value unsupported if a password is optional.This value is applicable only if prv_password_type indicates that a password is mandatory.
prv_password_length	Minimum length for the device’s password.	Number between 1 and 10, or -1 which indicates the password has no minimum length.This value is applicable only if prv_password_type indicates that a password is mandatory.
prv_password_minimum_symbols	Minimum number of specialcharacters that must be included in a password. Applicable only to Android 3.0 and higher.	A number or the value unsupported if no minimum is required.This value is applicable only if prv_password_type indicates that a password is mandatory.
prv_password_type	Whether the device’s password is mandatory, and whether it must be restricted to simple numeric input, alphanumeric characters,or has no restrictions. The security policy assigned to the device specifies the password type.	0 – password is mandatory and is restricted to alphanumeric characters.1 – password is mandatory and is restricted to simple numeric characters.2 – password is mandatory and has no character restrictions.-1 – password is optional.
prv_sd_encryption	Whether the security policy for the device has enabled encrypting the contents of the SD (Secure Data card) on the device.	on – SD encryption is enabled.off -- SD encryption is not enabled.unsupported – The MobileIron client does not support enabling or disabling SD encryption on the device.
prv_sdcard	Whether the lockdown policy for the device has disabled access to the SD card.	ON – Access to the SD card is enabled.OFF – Access to the SD card is disabled.unsupported – A lockdown policy is not applied to this device.
prv_vpn_servers	A list of VPN servers that the device can access.	List of semi-colon-separated VPN servers, each given as an IP address, a host name, or a URL. The value is na if the list is empty.
prv_wifi	Whether the lockdown policy for the device has disabled access to wireless LANs.	ON – Access to wireless LANs is enabled.OFF – Access to wireless LANs is disabled.unsupported – The MobileIron client does not support enabling or disabling access to wireless LANs on the device.
prv_wlan_ssids	Wireless local area network Service Set Identifiers for all wireless LANs configures on the device.	List of identifiers, separated by semi-colons.If none, then the value is na.Example: MobileIron-Guest;MobileIron-Test
registration_imsi	International Mobile Subscriber Identity number for the device.	Example: 3100044085983632
registration_operator_name	The name of the service provider for the device.	Example: Verizon
regUuid	Device’s unique ID.	Example: ddc865b69c13eeb4
Samsung_DM	Samsung device information for Samsung devices that support Samsung MDM APIs.	Example:FW: Key2,1 SW:1.0
security_state	Indicates whether the device has been compromised. A compromised Android device means that the device has been rooted, which means that an application has root access to the device’s file system.	Ok – The device has not been compromised.Compromised – The device has been compromised.
SIM_module_number	International Mobile Subscriber Identity number for the device.	Example: IMSI:3104105000000000
system_id	CDMA System Identification number	Example: 40
total_media_card_size	Amount of storage on the media card on the device.	Number of megabytes, shown with M suffix.Example: 7574.19M
total_media_card_size_bytes	Amount of storage on the media card on the device.	Number in bytesExample: 785037745
total_ram_size	Amount of RAM memory on the device.	Number of megabytes, shown with M suffix.Example: 475.93M
total_ram_size_bytes	Amount of RAM memory on the device.	Number in bytesExample: 504857000
total_storage_size	Amount of storage on the device.	Number of megabytes, shown with M suffix.Example: 6700.98M
total_storage_size_bytes	Amount of storage on the device.	Number in bytesExample: 104857000
usb_debugging	Allows Android debug mode, the adb interface of USB or network	Examples:onoff
wifi_mac_addr	Wi-Fi MAC address of the device.	Example: f87b7a29838f
wifimac_universal	A special Assemble variable that returns the WiFi Mac address of an Android, iOS, OS X or Windows device without having to specify the unique WiFi Mac variable name for each OS.	Example: f87b7a29838f

iOS Details Key-Value Descriptions

The following table shows the key-value pairs in the <details> element for iOS devices. The set of key-value pairs and the order they appear in the response vary according to the type of device, such as iPhone or iPad. Therefore, the table presents the pairs in alphabetical order by the key name.

Note: In most cases, key names that have an underscore, such as security_state or Client_build_date, contain information that the device’s MobileIron client provides. Key names without underscores, such as allowUntrustedTLSPrompt or maxGracePeriod, contain information that the device’s operating system provides.

Key Name	Key Description	Value
allowAppInstallation	Whether installation of applications is allowed.	Example: false
allowCloudBackup	Whether backing up the device to iCloud is allowed.Availability: iOS 5.0 and later.	true – Backing up to iCloud is allowed.false – Backing up to iCloud is not allowed.
allowCloudDocumentSync	When false, document and key-value syncing to iCloud is disabled.	Example: false
allowExplicitContent	Whether explicit music or video content purchased from the iTunes Store is hidden. Content is marked as explicit by content providers when sold through the iTunes Store.	true – Explicit content is not hidden.false – Explicit content is hidden.
allowInAppPurchases	Whether In-App purchases are allowed.	true – In-App Purchases are allowed.false - In-App Purchases are not allowed.
allowiTunes	Whether the iTunes Music Store is allowed on the device.	true – iTunes is allowed.false - iTunes is not allowed.
allowMultiPlayerGaming	Whether multiplayer gaming is allowed.	true – Multiplayer gaming is allowed.false - Multiplayer gaming is not allowed.
allowPhotoStream	Indicates whether the device’s Photo Stream is allowed on the device.Availability: iOS 5.0 and later.	true – Photo Stream is allowed. false – Photo Stream is not allowed.
allowUntrustedTLSPrompt	When false, automatically rejects untrusted HTTPS certificates without prompting the user.Availability: iOS 5.0 and later.	true or false
allowVideoConferencing	Whether videoconferencing is allowed on the device.	true - Videoconferencing is allowed.false – Videoconferencing is not allowed.
allowVoiceDialing	Whether voice dialing is allowed when the device is locked.	true – Voice dialing is allowed when the device is locked.false - Voice dialing is not allowed when the device is locked.
allowYouTube	Whether the YouTube application is allowed on the device.	true - YouTube is allowed.false – YouTube is not allowed.
apnsToken	The device’s APNs (Apple Push Notification service) token.	Example: 5c7b0866d6d068f8b4015690b83a6d1c00fb9484bdb00ea40d926bbade28de5f
AvailableDeviceCapacity	Floating-point gigabytes (base-1024 gigabytes).	Example: 13.765106201171875
Battery Level	Floating-point percentage expressed as a value between 0.0 and 1.0, or -1.0 if battery level cannot be determined.Availability: iOS 5.0 and later.	Example: 0.10000000149011612
battery_life	Power remaining in the battery life.	The percentage of power remaining in the battery.Example: 30
BluetoothMAC	Bluetooth MAC address.	Example: B8FF617F7927
BuildVersion	The iOS build number (8A260b, for example).	Example: 8J3
CarrierSettingsVersion	Version of the currently-installed carrier settings file.	Example: 11.0
CellularTechnology	Returns the type of cellular technology.Availability: iOS 4.2.6 and later.	Example: GSM
CheckOut Received	The VSP has received a checkout message from the device. This message indicates that the MDM profile was removed from the device.	true – The VSP has received a checkout message.false – The VSP has not received a checkout message.
Client_build_date	Build date of the MobileIron client.	Example: Apr 8 2011 12:02:24
client_name	Name of MobileIron client application on the device.	Example: com.mobileiron.phoneatwork
Client_version	MobileIron client version number running on the device.	Example: 4.5.12.33698
country_code	The device’s Mobile Country Codes (MCCs). MCCs are defined in ITU E.212 .	Example for United States: 310
Current MCC	The device’s Mobile Country Codes (MCCs). MCCs are defined in ITU E.212 .	Example for United States: 310
Current MNC	Current Mobile Network Code. If the device is not roaming, this is the same as the SIM MNC.	Example: 00
DataRoamingEnabled	Whether Data Roaming is enabled.	Example: false
device_id	The International Mobile Equipment Number for an iPhone.	Example: IMEI:012537000804721
device_manufacturer	Device manufacturer. For iOS devices, the value is always Apple.	Example: Apple
device_model	Model of the iOS device.	Examples: iPad1,1iPhone3,1
device_type	Whether the device uses CDMA or GSM technology to transmit voice calls. If the device does not transmit voice calls, this fields whether the device uses CDMA or GSM technology is transmit data.	CDMA or GSMExample: GSM
DeviceCapacity	Floating-point gibibytes (base-1024 gigabytes).	Example: 14.020126342773438
DeviceCompromised	Whether the device is compromised.	true – The device is compromised.false – The device is not compromised.
DeviceName	The name given to the device via iTunes.	Example: Joe B’s iPad
forceEncryptedBackup	Whether the device forces encrypted backups.	true or false
free_storage_size_byte	Size of unused storage on the device.	Number in bytes.Example: 14780170240.000000000000000
HardwareEncryptionCaps	Describes the underlying hardware encryption capabilities of the device.	The value represents a bit field with following meanings:1 – block-level encryption2 – file-level encryptionTherefore, because these are bit field values, the value 3 means both block-level and file-level encryption.
imeiNote:The detail name imei is no longer used for iOS in VSP 5.x. Use iPhone IMEI or ImeiOrMeid instead.	The device’s IMEI number. Ignored if the device does not support GSM.	Example: 011981001429081
iPhone IMEINote:The detail name imei is no longer used for iOS in VSP 5.x. Use iPhone IMEI or ImeiOrMeid instead.	The device’s IMEI number. Ignored if the device does not support GSM.	Example: 011981001429081
ImeiOrMeidNote:The detail name imei is no longer used for iOS in VSP 5.x. Use iPhone IMEI or ImeiOrMeid instead.	The device’s IMEI number. Ignored if the device does not support GSM.	Example: 011981001429081
*ios_app_connected*This key requires a user account with both the API role AND the roles Smartphones Inventory, Policies, Apps/File Catalogs and Smartphone Manager Settings.	The number of hours since the MobileIron app has last connected to the VSP.This key requires the setting vspdetails=yes in the .ini section [RuleNum].	61.05
iOSBackgroundStatus	The status of background location multitasking on the device.	0 – The device supports background location multitasking, and the user has enabled location services.1 – The device supports background location multitasking, but the user has disabled location services.2 – Background multitasking has been disabled by the privacy policy applied to the device. 3 – The device hardware does not support background multitasking. 4 – The iOS version is earlier than 4.0, and therefore does not support background multitasking.Example: 3
ip_address	IP address of the device.	Example: 192.168.1.174
iPhone ICCID	The ICC identifier for the installed SIM card.	Example: 8949 2260 7349 2040 105
iPhone IMEI	International Mobile Equipment Identity of the device.	Example: 01 253700 080472 1
iPhone MAC_ADDRESS_EN0	WIFI MAC address of device.	Example: b8:ff:61:7f:79:26
iPhone PRODUCT	The model code for the device (iPhone3,1, for example).	Examples: iPad1,1
iPhone UDID	The unique device identifier (UDID) of the iOS device.	Example: 81a3379d884f1bd9f1b0ce9b340358288081f7a1
iPhone VERSION	The iOS build number of the iOS version that the device is running.	Example: 8J3
it_policy_result	Not used.	Not used.
lat_long_last_captured_at	The last time the location of the device was recorded.	Specified as seconds since January 1, 1970.Example: 1325108114776
latitude	Latitude of the device’s location.	Degrees latitude.Example: 50.645397
locale	Locale for the device	Examples: en-US en
longitude	Longitude of the device’s location.	Degrees longitude.Example: 7.943374
maxGracePeriod	Maximum grace period, in minutes, to unlock the phone without entering a passcode. The value 0 means no grace period is allowed; a passcode is required immediately.	Example: 900
maxInactivity	Number of minutes for which the device can be idle (without being unlocked by the user) before it gets locked by the system. Once this limit is reached, the device is locked and the passcode must be entered.	Example: 300
minLength	Minimum overall length of the passcode.	Example: 4
mobile_number	Phone number of the device.	The mobile number, or the value (null) if the device has no mobile number.Example: +491718169911
Model	The device’s model number.	Examples: MC820LLMC603DN
ModelName	Name of the device model.	Examples: iPadiPhone
ModemFirmwareVersion	The baseband firmware version.	Example: 05.16.05
os_version	The version of iOS that the device is running.	Example: iPhone OS 4.3.3 (8J3)iPhone OS 5.0.1 (9A405)
OSVersion	The version of iOS that the device is running.	Example: 4.3.3
PasscodeIsCompliant	Set to true if the user's passcode is compliant with allrequirements on the device, including Exchange and other accounts.	true or false
PasscodeIsCompliantWithProfiles	Set to true if the user's passcode is compliant with requirements from profiles.	Example: true
PasscodePresent	Set to true if the device is protected by a passcode.	true or false
platform_name	For all iOS devices, this field has the value iPhone.	Example: iPhone
platform_type	Either iPad or iPhone.	Examples: iPadiPhone
processor_architecture	For iOS devices, the value is always ARM.	Example: ARM
ProductName	The model code for the device.	Examples: iPad1,1iPhone3,1
ratingApps	Maximum rating for apps on the device, according to Apple’s ranking of apps.	Example: 1000
ratingMovies	Maximum rating for movies on the device, according to Apple’s ranking of movies.	Example: 1000
ratingTVShows	Maximum rating for TV shows on the device, according to Apple’s ranking of TV shows.	Example: 1000
registration_imsi	International Mobile Subscriber Identity number for the device.	Example: (null)
registration_operator_name	The name of the service provider for the device.	The name of the service provider, or (null) if not applicable.Example: AT&T
safariAcceptCookies	Indicates Safari’s setting to accept cookies.	0 - Never1 - From visited2 - Always
safariAllowPopups	Indicates whether Safari is set to allow pop-ups.	true – popups are allowed.false – popups are not allowed.
safariForceFraudWarning	Indicates whether Safari is set to enable fraud warning.	true – Fraud warning is enabled.false – Fraud warning is not enabled.
security_reason_code	Not used.	Not used.
security_state	Indicates whether the device has been compromised.	0 – The device has been compromised.1 – The device has not been compromised.
SerialNumber	The device’s serial number.	Example: V5046DGHZ38
signal_strength	The signal strength on the device.	A number representing the signal strength, given in dBm.
SIM MCC	Home Mobile Country Code (numeric string). MCCs are defined in ITU E.212 .	Example for United States: 310
SIM MNC	The Mobile Network Code of the SIM card on the device.	Example: 0107
SIMCarrierNetwork	Name of the home carrier network.	Example: Telekom.de
Subscriber Carrier Network	Name of the home carrier network. (ReplacesSIMCarrierNetwork.)Availability: iOS 5.0 and later.	Example: o2-de
Supervised	Indicates if the device is in Supervised mode.	Example: true
total_storage_size_bytes	Amount of storage on the device.	Number in bytes.Example: 15053996032.000000536870912
WiFiMAC	Wi-Fi MAC address.	Example: B8FF617F7926
wifimac_universal	A special Assemble variable that returns the WiFi Mac address of an Android, iOS, OS X or Windows device without having to specify the unique WiFi Mac variable name for each OS.	Example: f87b7a29838f

Windows Phone Details Key-Value Descriptions

The following list shows the keys for Windows Phone devices. The key descriptions will be added at a later time.

•

wp_radio_swv

•

wp_ent_device_name

•

prv_device_encryption

•

prv_nfc

•

prv_wifitethering

•

prv_roamingvoicecalls

•

prv_exchange_Domain

•

device_model

•

prv_password_allow_simple

•

wp_local_time

•

prv_max_idle_time

•

prv_youtube

•

prv_wifi

•

prv_password_expiration_timeout

•

prv_exchange_UserName

•

wp_publisher_device_id

•

wp_wlan_mac_address

•

prv_password_history_length

•

prv_managementremoval

•

prv_password_length

•

prv_lockscreenwidgets

•

prv_screencapture

•

prv_microphone

•

prv_gpsuser

•

wp_management_service_address

•

prv_googlebackup

•

dm_client_version

•

prv_otaupgrade

•

prv_androidbrowser

•

prv_max_failed_attempts

•

prv_camera

•

prv_usbdebug

•

prv_usbmassstorage

•

wp_signed_ent_dm_id

•

prv_password_type

•

prv_sd_encryption

•

prv_gps

•

locale

•

wp_resolution

•

prv_bttethering

•

prv_bluetooth

•

wp_processor_type

•

DataProtection

•

wp_firmware_version

•

prv_exchange_Server

•

wp_hardware_version

•

device_manufacturer

•

prv_exchange_UseSSL

•

prv_copypaste

•

prv_settingchanges

•

wp_exchange_id

•

wp_ent_dm_id

•

device_id

•

prv_password

•

prv_googlemarket

•

os_version

•

wp_os_platform

•

wp_cert_renew_timestamp

•

prv_roamingdata

•

prv_factoryreset

•

prv_password_minimum_symbols

•

prv_usbtethering

•

current_operator

•

prv_sdcard

•

prv_usbmediaplayer

•

wp_processor_arch

wifimac_universal

A special Assemble variable that returns the WiFi Mac address of an Android, iOS, OS X or Windows device without having to specify the unique WiFi Mac variable name for each OS.

Example: f87b7a29838f

Special Detail Descriptions

Additional special device details can be included in syslog messages and reports. The compliance details below split out the “compliance” device detail which is a combined hex number of all the compliance violations of the device.

Example:

A device is compromise and has a disallow app installed. The compliance code would be 4161. This represents the sum of each of the compliance codes representing the security rules being violated.

1 – Device is compromised

64 – App control is out of compliance

4096 - Disa -----Full Rule Match Log Start----- llowed app control policy is out of compliance.

This can be difficult to interpret in a syslog message or report. Another option is to include the split compliance values into separate syslog or report fields.

Example:

reportvar=uuid,principal,manufacturer,ModelName,device_model,compliance,compliance_COMPROMISED,compliance_REQUIRED_APP,compliance_DISALLOWED_APP

1.

compliance – The will show the aggregate compliance code

1.

compliance_COMPROMISED – This will show if the device is compromised (0 or 1).

compliance_APP_CONTROL – This will show if the app control policy is out of compliance (0 or 1).

compliance_DISALLOWED_APP – This will show if the disallowed app control policy is out of compliance (0 or 1).

 

Name	Description	Value
compliance_Compliant	Device is compliant.	0 1
compliance_COMPROMISED	Device is compromised.	0 1
compliance_OS_VERSION	OS version is less than the supported OS version.	0 1
compliance_HW_VERSION	Hardware version is not allowed.	0 1
compliance_DATA_PROTECTION	Data Protection is not enabled.	0 1
compliance_POLICY_OUT_OF_DATE	Policy is out of date.	0 1
compliance_DEVICE_OUT_OF_CONTACT	Device is out of contact.	0 1
compliance_APP_CONTROL	App control policy is out of compliance.	0 1
compliance_PER_MAILBOX_LIMIT	Device exceeds per mailbox limit.	0 1
compliance_AUTO_BLOCK	Device is not registered.	0 1
compliance_MANUAL	Device is manually blocked.	0 1
compliance_EXCHANGE	Exchange Reported.	0 1
compliance_DEVICE_ADMIN	Device administrator is deactivated. Note: On an Android device, the device administrator is deactivated. On iOS 5.0 and higher, the MDM profile has been removed, which deactivates MDM on the device.	0 1
compliance_DISALLOWED_APP	Disallowed app control policy is out of compliance.	0 1
compliance_REQUIRED_APP	Required app control policy is out of compliance.	0 1
compliance_ALLOWED_APP	Allowed app control policy is out of compliance.	0 1
Compliance_LOGGEDOUT	User has logged/signed out of multi user device	01
Compliance_ATTESTATION_FAILED	Attestation Failed	01
compliance_UNKNOWN	Unknown reason.	0 1

Compliance Codes

The following table shows the compliance codes returned by the API.

ComplianceType	ComplianceCode	ComplianceDescription
COMPROMISED	1	Device state is compromised.
OS_VERSION	2	OS version is less than the supported OS version
HW_VERSION	4	Hardware revision is not allowed
DATA_PROTECTION	8	Data Protection is not enabled
POLICY_OUT_OF_DATE	16	Policy is out of date
DEVICE_OUT_OF_CONTACT	32	Phone is out of contact
APP_CONTROL	64	App control policy is out of compliance
PER_MAILBOX_LIMIT	128	Device exceeds per mailbox limit
AUTO_BLOCK	256	Device is not registered
MANUAL	512	Device is manually blocked
EXCHANGE	1024	Exchange Reported
DEVICE_ADMIN_DEACTIVE	2048	Device administrator is deactivated
DISALLOWED_APP_CONTROL	4096	Disallowed app control policy is out of compliance
REQUIRED_APP_CONTROL	8192	Required app control policy is out of compliance
ALLOWED_APP_CONTROL	16384	Allowed app control policy is out of compliance
LOGGED_OUT	32768	User Logged Out
ATTESTATION_FAILED	65536	Attestation Failed
UNKNOWN	4194304	Unknown

Country List ISO 3166 Codes

The alpha-2 country codes are sorted by country in list one and code in list two. The alpha-2 codes can be used for rules containing country triggers.

Country		Alpha-2 code	Alpha-2 code	Country
Afghanistan		AF	AD	Andorra
Albania		AL	AE	United Arab Emirates
Algeria		DZ	AF	Afghanistan
American Samoa		AS	AG	Antigua and Barbuda
Andorra		AD	AI	Anguilla
Angola		AO	AL	Albania
Anguilla		AI	AM	Armenia
Antarctica		AQ	AN	Netherlands Antilles
Antigua and Barbuda		AG	AO	Angola
Argentina		AR	AQ	Antarctica
Armenia		AM	AR	Argentina
Aruba		AW	AS	American Samoa
Australia		AU	AT	Austria
Austria		AT	AU	Australia
Azerbaijan		AZ	AW	Aruba
Bahamas		BS	AZ	Azerbaijan
Bahrain		BH	BA	Bosnia and Herzegovina
Bangladesh		BD	BB	Barbados
Barbados		BB	BD	Bangladesh
Belarus		BY	BE	Belgium
Belgium		BE	BF	Burkina Faso
Belize		BZ	BG	Bulgaria
Benin		BJ	BH	Bahrain
Bermuda		BM	BI	Burundi
Bhutan		BT	BJ	Benin
Bolivia, Plurinational State of		BO	BM	Bermuda
Bosnia and Herzegovina		BA	BN	Brunei Darussalam
Botswana		BW	BO	Bolivia, Plurinational State of
Bouvet Island		BV	BR	Brazil
Brazil		BR	BS	Bahamas
British Indian Ocean Territory		IO	BT	Bhutan
Brunei Darussalam		BN	BV	Bouvet Island
Bulgaria		BG	BW	Botswana
Burkina Faso		BF	BY	Belarus
Burundi		BI	BZ	Belize
Cambodia		KH	CA	Canada
Cameroon		CM	CC	Cocos (Keeling) Islands
Canada		CA	CD	Congo, the Democratic Republic of the
Cape Verde		CV	CF	Central African Republic
Cayman Islands		KY	CG	Congo
Central African Republic		CF	CH	Switzerland
Chad		TD	CI	Côte d'Ivoire
Chile		CL	CK	Cook Islands
China		CN	CL	Chile
Christmas Island		CX	CM	Cameroon
Cocos (Keeling) Islands		CC	CN	China
Colombia		CO	CO	Colombia
Comoros		KM	CR	Costa Rica
Congo		CG	CU	Cuba
Congo, the Democratic Republic of the		CD	CV	Cape Verde
Cook Islands		CK	CX	Christmas Island
Costa Rica		CR	CY	Cyprus
Côte d'Ivoire		CI	CZ	Czech Republic
Croatia		HR	DE	Germany
Cuba		CU	DJ	Djibouti
Cyprus		CY	DK	Denmark
Czech Republic		CZ	DM	Dominica
Denmark		DK	DO	Dominican Republic
Djibouti		DJ	DZ	Algeria
Dominica		DM	EC	Ecuador
Dominican Republic		DO	EE	Estonia
Ecuador		EC	EG	Egypt
Egypt		EG	EH	Western Sahara
El Salvador		SV	ER	Eritrea
Equatorial Guinea		GQ	ES	Spain
Eritrea		ER	ET	Ethiopia
Estonia		EE	FI	Finland
Ethiopia		ET	FJ	Fiji
Falkland Islands (Malvinas)		FK	FK	Falkland Islands (Malvinas)
Faroe Islands		FO	FM	Micronesia, Federated States of
Fiji		FJ	FO	Faroe Islands
Finland		FI	FR	France
France		FR	GA	Gabon
French Guiana		GF	GB	United Kingdom
French Polynesia		PF	GD	Grenada
French Southern Territories		TF	GE	Georgia
Gabon		GA	GF	French Guiana
Gambia		GM	GG	Guernsey
Georgia		GE	GH	Ghana
Germany		DE	GI	Gibraltar
Ghana		GH	GL	Greenland
Gibraltar		GI	GM	Gambia
Greece		GR	GN	Guinea
Greenland		GL	GP	Guadeloupe
Grenada		GD	GQ	Equatorial Guinea
Guadeloupe		GP	GR	Greece
Guam		GU	GS	South Georgia and the South Sandwich Islands
Guatemala		GT	GT	Guatemala
Guernsey		GG	GU	Guam
Guinea		GN	GW	Guinea-Bissau
Guinea-Bissau		GW	GY	Guyana
Guyana		GY	HK	Hong Kong
Haiti		HT	HM	Heard Island and McDonald Islands
Heard Island and McDonald Islands		HM	HN	Honduras
Holy See (Vatican City State)		VA	HR	Croatia
Honduras		HN	HT	Haiti
Hong Kong		HK	HU	Hungary
Hungary		HU	ID	Indonesia
Iceland		IS	IE	Ireland
India		IN	IL	Israel
Indonesia		ID	IM	Isle of Man
Iran, Islamic Republic of		IR	IN	India
Iraq		IQ	IO	British Indian Ocean Territory
Ireland		IE	IQ	Iraq
Isle of Man		IM	IR	Iran, Islamic Republic of
Israel		IL	IS	Iceland
Italy		IT	IT	Italy
Jamaica		JM	JE	Jersey
Japan		JP	JM	Jamaica
Jersey		JE	JO	Jordan
Jordan		JO	JP	Japan
Kazakhstan		KZ	KE	Kenya
Kenya		KE	KG	Kyrgyzstan
Kiribati		KI	KH	Cambodia
Korea, Democratic People's Republic of		KP	KI	Kiribati
Korea, Republic of		KR	KM	Comoros
Kuwait		KW	KN	Saint Kitts and Nevis
Kyrgyzstan		KG	KP	Korea, Democratic People's Republic of
Lao People's Democratic Republic		LA	KR	Korea, Republic of
Latvia		LV	KW	Kuwait
Lebanon		LB	KY	Cayman Islands
Lesotho		LS	KZ	Kazakhstan
Liberia		LR	LA	Lao People's Democratic Republic
Libyan Arab Jamahiriya		LY	LB	Lebanon
Liechtenstein		LI	LC	Saint Lucia
Lithuania		LT	LI	Liechtenstein
Luxembourg		LU	LK	Sri Lanka
Macao		MO	LR	Liberia
Macedonia, the former Yugoslav Republic of		MK	LS	Lesotho
Madagascar		MG	LT	Lithuania
Malawi		MW	LU	Luxembourg
Malaysia		MY	LV	Latvia
Maldives		MV	LY	Libyan Arab Jamahiriya
Mali		ML	MA	Morocco
Malta		MT	MC	Monaco
Marshall Islands		MH	MD	Moldova, Republic of
Martinique		MQ	ME	Montenegro
Mauritania		MR	MG	Madagascar
Mauritius		MU	MH	Marshall Islands
Mayotte		YT	MK	Macedonia, the former Yugoslav Republic of
Mexico		MX	ML	Mali
Micronesia, Federated States of		FM	MM	Myanmar
Moldova, Republic of		MD	MN	Mongolia
Monaco		MC	MO	Macao
Mongolia		MN	MP	Northern Mariana Islands
Montenegro		ME	MQ	Martinique
Montserrat		MS	MR	Mauritania
Morocco		MA	MS	Montserrat
Mozambique		MZ	MT	Malta
Myanmar		MM	MU	Mauritius
Namibia		NA	MV	Maldives
Nauru		NR	MW	Malawi
Nepal		NP	MX	Mexico
Netherlands		NL	MY	Malaysia
Netherlands Antilles		AN	MZ	Mozambique
New Caledonia		NC	NA	Namibia
New Zealand		NZ	NC	New Caledonia
Nicaragua		NI	NE	Niger
Niger		NE	NF	Norfolk Island
Nigeria		NG	NG	Nigeria
Niue		NU	NI	Nicaragua
Norfolk Island		NF	NL	Netherlands
Northern Mariana Islands		MP	NO	Norway
Norway		NO	NP	Nepal
Oman		OM	NR	Nauru
Pakistan		PK	NU	Niue
Palau		PW	NZ	New Zealand
Palestinian Territory, Occupied		PS	OM	Oman
Panama		PA	PA	Panama
Papua New Guinea		PG	PE	Peru
Paraguay		PY	PF	French Polynesia
Peru		PE	PG	Papua New Guinea
Philippines		PH	PH	Philippines
Pitcairn		PN	PK	Pakistan
Poland		PL	PL	Poland
Portugal		PT	PM	Saint Pierre and Miquelon
Puerto Rico		PR	PN	Pitcairn
Qatar		QA	PR	Puerto Rico
Réunion		RE	PS	Palestinian Territory, Occupied
Romania		RO	PT	Portugal
Russian Federation		RU	PW	Palau
Rwanda		RW	PY	Paraguay
Saint Helena, Ascension and Tristan da Cunha		SH	QA	Qatar
Saint Kitts and Nevis		KN	RE	Réunion
Saint Lucia		LC	RO	Romania
Saint Pierre and Miquelon		PM	RS	Serbia
Saint Vincent and the Grenadines		VC	RU	Russian Federation
Samoa		WS	RW	Rwanda
San Marino		SM	SA	Saudi Arabia
Sao Tome and Principe		ST	SB	Solomon Islands
Saudi Arabia		SA	SC	Seychelles
Senegal		SN	SD	Sudan
Serbia		RS	SE	Sweden
Seychelles		SC	SG	Singapore
Sierra Leone		SL	SH	Saint Helena, Ascension and Tristan da Cunha
Singapore		SG	SI	Slovenia
Slovakia		SK	SJ	Svalbard and Jan Mayen
Slovenia		SI	SK	Slovakia
Solomon Islands		SB	SL	Sierra Leone
Somalia		SO	SM	San Marino
South Africa		ZA	SN	Senegal
South Georgia and the South Sandwich Islands		GS	SO	Somalia
Spain		ES	SR	Suriname
Sri Lanka		LK	ST	Sao Tome and Principe
Sudan		SD	SV	El Salvador
Suriname		SR	SY	Syrian Arab Republic
Svalbard and Jan Mayen		SJ	SZ	Swaziland
Swaziland		SZ	TC	Turks and Caicos Islands
Sweden		SE	TD	Chad
Switzerland		CH	TF	French Southern Territories
Syrian Arab Republic		SY	TG	Togo
Taiwan, Province of China		TW	TH	Thailand
Tajikistan		TJ	TJ	Tajikistan
Tanzania, United Republic of		TZ	TK	Tokelau
Thailand		TH	TL	Timor-Leste
Timor-Leste		TL	TM	Turkmenistan
Togo		TG	TN	Tunisia
Tokelau		TK	TO	Tonga
Tonga		TO	TR	Turkey
Trinidad and Tobago		TT	TT	Trinidad and Tobago
Tunisia		TN	TV	Tuvalu
Turkey		TR	TW	Taiwan, Province of China
Turkmenistan		TM	TZ	Tanzania, United Republic of
Turks and Caicos Islands		TC	UA	Ukraine
Tuvalu		TV	UG	Uganda
Uganda		UG	UM	United States Minor Outlying Islands
Ukraine		UA	US	United States
United Arab Emirates		AE	UY	Uruguay
United Kingdom		GB	UZ	Uzbekistan
United States		US	VA	Holy See (Vatican City State)
United States Minor Outlying Islands		UM	VC	Saint Vincent and the Grenadines
Uruguay		UY	VE	Venezuela, Bolivarian Republic of
Uzbekistan		UZ	VG	Virgin Islands, British
Vanuatu		VU	VI	Virgin Islands, U.S.
Venezuela, Bolivarian Republic of		VE	VN	Viet Nam
Viet Nam		VN	VU	Vanuatu
Virgin Islands, British		VG	WF	Wallis and Futuna
Virgin Islands, U.S.		VI	WS	Samoa
Wallis and Futuna		WF	YE	Yemen
Western Sahara		EH	YT	Mayotte
Yemen		YE	ZA	South Africa
Zambia		ZM	ZM	Zambia
Zimbabwe		ZW	ZW	Zimbabwe

LanguageID Values

id		english_name	iso_639_2	iso_639_1
1		English	eng	en
2		Japanese	jpn	ja
3		Korean	kor	ko
4		German	deu	de
5		German	ger	de
6		French	fra	fr
7		French	fre	fr
8		Italian	ita	it
9		Spanish	spa	es
10		Chinese (Simplified)	chi	zh
11		Chinese (Simplified)	zho	zh
12		Abkhazian	abk	ab
13		Afar	aar	aa
14		Afrikaans	afr	af
15		Akan	aka	ak
16		Albanian	alb	sq
17		Albanian	sqi	sq
18		Amharic	ara	ar
19		Agagonese	arg	an
20		Armenian	arm	hy
21		Armenian	hye	hy
22		Assamese	asm	as
23		Avaric	ava	av
24		Avestan	ave	ae
25		Aymara	aym	ay
26		Azerbaijani	aze	az
27		Bamabara	bam	bm
28		Bashkir	bak	ba
29		Basque	baq	eu
30		Basque	eus	eu
31		Belarusian	bel	be
32		Bengali	ben	bn
33		Bihari languages	bih	bh
34		Bislama	bis	bi
35		Norwegian	nob	nb
36		Bosnian	bos	bs
37		Breton	bre	br
38		Bulgarian	bul	bg
39		Burmese	bur	my
40		Burmese	mya	my
41		Valencian	cat	ca
42		Amharic	amh	am
43		Central Khmer	khm	km
44		Chamorro	cha	ch
45		Chechen	che	ce
46		Chichewa; Chewa; Nyanja	nya	ny
48		Zhuang; Chuang	zha	za
49		Church Slavic; Old Slavonic; Church Slavonic; Old Bulgarian; Old Church Slavonic	chu	cu
51		Chuvash	chv	cv
52		Cornish	cor	kw
53		Corsican	cos	co
54		Cree	cre	cr
55		Croatian	hrv	hr
56		Czech	cze	cs
57		Czech	ces	cs
58		Danish	dan	da
59		Divehi; Dhivehi; Maldivian	div	dv
61		Dutch; Flemish	dut	nl
62		Dutch; Flemish	nld	nl
63		Dzongkha	dzo	dz
64		Esperanto	epo	eo
65		Estonian	est	et
66		Ewe	ewe	ee
67		Faroese	fao	fo
68		Fijian	fij	fj
69		Finnish	fin	fi
70		Fulah	ful	ff
71		Gaelic; Scottish Gaelic	gla	gd
72		Galician	glg	gl
73		Ganda	lug	lg
74		Georgian	geo	ka
75		Georgian	kat	ka
76		Kikuyu; Gikuyu	kik	ki
77		Greek	gre	el
78		Greek	ell	el
79		Kalaallisut; Greenlandic	kal	kl
80		Guarani	grn	gn
81		Gujarati	guj	gu
82		Haitian; Haitian Creole	hat	ht
83		Hausa	hau	ha
84		Hebrew	heb	he
85		Herero	her	hz
86		Hindi	hin	hi
87		Hiri Motu	hmo	ho
88		Hungarian	hun	hu
89		Icelandic	ice	is
90		Icelandic	isl	is
91		Ido	ido	io
92		Igbo	ibo	ig
93		Indonesian	ind	id
94		Interlingua (International Auxiliary Language Association)	ina	ia
95		Interlingue; Occidental	ile	ie
96		Inuktitut	iku	iu
97		Inupiaq	ipk	ik
98		Irish	gle	ga
99		Javanese	jav	jv
101		Kannada	kan	kn
102		Kanuri	kau	kr
103		Kashmiri	kas	ks
104		Kazakh	kaz	kk
106		Kinyarwanda	kin	rw
107		Kirghiz; Kyrgyz	kir	ky
108		Komi	kom	kv
109		Kongo	kon	kg
110		Kurdish	kur	ku
111		Kuanyama; Kwanyama	kua	kj
113		Lao	lao	lo
114		Latin	lat	la
115		Latvian	lav	lv
116		Luxembourgish; Letzeburgesch	ltz	lb
117		Limburgan; Limburger; Limburgish	lim	li
118		Lingala	lin	ln
119		Lithuanian	lit	lt
120		Luba-Katanga	lub	lu
122		Macedonian	mac	mk
123		Macedonian	mkd	mk
124		Malagasy	mlg	mg
125		Malay	may	ms
126		Malay	msa	ms
127		Malayalam	mal	ml
129		Maltese	mlt	mt
130		Manx	glv	gv
131		Maori	mao	mi
132		Maori	mri	mi
133		Marathi	mar	mr
134		Marshallese	mah	mh
135		Romanian; Moldavian; Moldovan	rum	ro
136		Romanian; Moldavian; Moldovan	ron	ro
137		Mongolian	mon	mn
138		Nauru	nau	na
139		Navajo; Navaho	nav	nv
140		Ndebele, North; North Ndebele	nde	nd
141		Ndebele, South; South Ndebele	nbl	nr
142		Ndonga	ndo	ng
143		Nepali	nep	ne
145		Northern Sami	sme	se
146		Norwegian	nor	no
148		Norwegian Nynorsk; Nynorsk, Norwegian	nno	nn
149		Sichuan Yi; Nuosu	iii	ii
153		Occitan (post 1500)	oci	oc
154		Ojibwa	oji	oj
156		Oriya	ori	or
157		Oromo	orm	om
158		Ossetian; Ossetic	oss	os
159		Pali	pli	pi
160		Panjabi; Punjabi	pan	pa
161		Pushto; Pashto	pus	ps
162		Persian	per	fa
163		Persian	fas	fa
164		Polish	pol	pl
165		Portuguese	por	pt
168		Quechua	que	qu
171		Romansh	roh	rm
172		Rundi	run	rn
173		Russian	rus	ru
174		Samoan	smo	sm
175		Sango	sag	sg
176		Sanskrit	san	sa
177		Sardinian	srd	sc
179		Serbian	srp	sr
180		Shona	sna	sn
182		Sindhi	snd	sd
183		Sinhala; Sinhalese	sin	si
184		Slovak	slo	sk
185		Slovak	slk	sk
186		Slovenian	slv	sl
187		Somali	som	so
188		Sotho, Southern	sot	st
190		Sundanese	sun	su
191		Swahili	swa	sw
192		Swati	ssw	ss
193		Swedish	swe	sv
194		Tagalog	tgl	tl
195		Tahitian	tah	ty
196		Tajik	tgk	tg
197		Tamil	tam	ta
198		Tatar	tat	tt
199		Telugu	tel	te
200		Thai	tha	th
201		Tibetan	tib	bo
202		Tibetan	bod	bo
203		Tigrinya	tir	ti
204		Tonga (Tonga Islands)	ton	to
205		Tsonga	tso	ts
206		Tswana	tsn	tn
207		Turkish	tur	tr
208		Turkmen	tuk	tk
209		Twi	twi	tw
210		Uighur; Uyghur	uig	ug
211		Ukrainian	ukr	uk
212		Urdu	urd	ur
214		Uzbek	uzb	uz
216		Venda	ven	ve
217		Vietnamese	vie	vi
218		VolapÌ_k	vol	vo
219		Walloon	wln	wa
220		Welsh	wel	cy
221		Welsh	cym	cy
222		Western Frisian	fry	fy
223		Wolof	wol	wo
224		Xhosa	xho	xh
225		Yiddish	yid	yi
226		Yoruba	yor	yo
227		Zulu	zul	zu

Syslog

Facility Levels

Valid facility names are: auth, authpriv (for security information of a sensitive nature), cron, daemon, ftp, kern, lpr, mail, news, security (deprecated synonym for auth), syslog, user, uucp, and local0 to local7, inclusive.

Facility levels are defined by RFC 3164

The list of Facilities available

Facility Number	Facility Description
0	kernel messages
1	user-level messages
2	mail system
3	system daemons
4	security/authorization messages
5	messages generated internally by syslogd
6	line printer subsystem
7	network news subsystem
8	UUCP subsystem
9	clock daemon
10	security/authorization messages
11	FTP daemon
12	NTP subsystem
13	log audit
14	log alert
15	clock daemon
16	local use 0 (local0)
17	local use 1 (local1)
18	local use 2 (local2)
19	local use 3 (local3)
20	local use 4 (local4)
21	local use 5 (local5)
22	local use 6 (local6)
23	local use 7 (local7)

Severity Levels

Valid level names are: alert, crit, debug, emerg, err, error (deprecated synonym for err), info, notice, panic (deprecated synonym for emerg), warn (deprecated synonym for warning).

Severity levels are defined by RFC 5424

Code	Severity	Description	General Description
0	Emergency	System is unusable.	A "panic" condition usually affecting multiple apps/servers/sites. At this level it would usually notify all tech staff on call.
1	Alert	Action must be taken immediately.	Should be corrected immediately, therefore notify staff who can fix the problem. An example would be the loss of a backup ISP connection.
2	Critical	Critical conditions.	Should be corrected immediately, but indicates failure in a primary system, an example is a loss of primary ISP connection.
3	Error	Error conditions.	Non-urgent failures, these should be relayed to developers or admins; each item must be resolved within a given time.
4	Warning	Warning conditions.	Warning messages, not an error, but indication that an error will occur if action is not taken, e.g. file system 85% full - each item must be resolved within a given time.
5	Notice	Normal but significant condition.	Events that are unusual but not error conditions - might be summarized in an email to developers or admins to spot potential problems - no immediate action required.
6	Informational	Informational messages.	Normal operational messages - may be harvested for reporting, measuring throughput, etc - no action required.
7	Debug	Debug-level messages.	Info useful to developers for debugging the application, not useful during operations.

Use Cases

Use Case One: Wipe when device is in a restricted country

²

Defense contractors and government agencies need to ensure that employees don't travel to countries on the U.S. "enemies" list - North Korea, etc. If a device travels there it needs to be immediately wiped and the appropriate security mechanism triggered.

Assemble Rule:

[RuleNum]

numberofrules=1

sleeptime=2000

[Rule1]

NumberofElements=1

Action=wipe

ActionReason=Device crossed into a restricted country. Democratic People's Republic of Korea OR Islamic Republic of Iran

Wakeup=no

SendMessage=yes

SendMessageText=Your device is in a restricted country. It will be wiped.1 2

Element1_trigger=country3

Element1_description=restricted country (Democratic People's Republic of Korea OR Islamic Republic of Iran)

Element1_operator=contains

Element1_source=local

Element1_value=KP,IR

Element1_distance=

Element1_distance_maxlocationage=4

Use Case Two: Change polices based on distance from corporate headquarters.

A manufacturer wants to remove WiFi configurations with certificate authentication on managed devices when it moves beyond 200 meters of the building. This helps keep users from attempting to extract authentication certificates from devices outside of the building. It helps to make sure devices must check back in every day while they are close to the building and pass MobileIron security checks before they are again allowed to connect to corporate WiFi.

[RuleNum]

numberofrules=2

sleeptime=2000

[Rule1]

NumberofElements=1

Action=removelabel:corporateWiFi4

ActionReason=device is beyond 200 meters of the building

Wakeup=yes

SendMessage=yes

SendMessageText=Your device has left the corporate campus.

Element1_trigger=distance

Element1_description=the device is beyond 200 meters of the building

Element1_operator=greater than

Element1_source=local

Element1_value=37.396227,-122.055638

Element1_distance=200

Element1_distance_maxlocationage=4

[Rule2]

NumberofElements=1

Action=applylabel:corporateWiFi

ActionReason=device is within 200 meters of the building

Wakeup=yes

SendMessage=yes

SendMessageText=Your device has left the corporate campus.

Element1_trigger=distance

Element1_description=the device is closer than 200 meters of the building

Element1_operator=less than

Element1_source=local

Element1_value=37.396227,-122.055638

Element1_distance=200

Element1_distance_maxlocationage=4

Use Case Three: Time/Day Based Policies

A company wants to apply a restrictive policy during business hours on weekdays.

[RuleNum]

numberofrules=1

sleeptime=2000

[Rule1]

NumberofElements=4

Action=applylabel:RestrictPolicy

ActionReason=weekday camera disable

Wakeup=yes

SendMessage=no

SendMessageText=

Element1_trigger=time

Element1_description=business hours

Element1_operator=greater than

Element1_source=local

Element1_value=08:00

Element2_elementoperator=AND

Element2_trigger=time

Element2_description=business hours

Element2_operator=less than

Element2_source=local

Element2_value=17:00

Element3_elementoperator=AND

Element3_trigger=day

Element3_description=saturday

Element3_operator=does not equal

Element3_source=local

Element3_value=7

Element4_elementoperator=AND

Element4_trigger=day

Element4_description=sunday

Element4_operator=does not equal

Element4_source=local

Element4_value=1

Use Case Four: Apply Corporate-Owned Labels to Specific Serial Numbers (iOS)/Device ID (Android)

A company wants to allow users to self-register their own devices. This poses two problems.

1.

Registering from the self-service portal lets the user choose if their device is corporate or employee owned. The user could mark this incorrectly or on purpose (perhaps in the hope they can get a more liberal security policy).

1.

Registering from the MI app only registers devices as corporate owned. There is no employee owned option when registering from the MI app in iOS or Android.

The company would rather apply company owned labels based on the serial number (iOS) or device id (Android).

Assemble Rule:

[RuleNum]

numberofrules=2

[Rule1]

NumberofElements=2

Action=applylabel:corporateowned

Wakeup=yes

SendMessage=yes

SendMessageText=Your device now has the policies for a corporate owned device.

Element1_trigger=device_id

Element1_description=corporate owned device_id match

Element1_operator=equals

Element1_source=local

Element1_value=6Q046Z5YA4S,DLXFR932DJHG,417a99d4d10d21ec

Element2_elementoperator=OR

Element2_trigger=serialnumber

Element2_description=corporate owned device serial match

Element2_operator=equals

Element2_source=local

Element2_value=6Q046Z5YA4S,DLXFR932DJHG

[Rule2]

NumberofElements=2

Action=applylabel:employeeowned

Wakeup=yes

SendMessage=yes

SendMessageText=Your device now has the policies for an employee owned device.

Element1_trigger=serialnumber

Element1_description=corporate owned device serial match

Element1_operator=does not equal

Element1_source=local

Element1_value=C39GKAV3DTDN,DLXFR932DJHG

Element2_elementoperator=OR

Element2_trigger=device_id

Element2_description=corporate owned device serial match

Element2_operator=does not equal

Element2_source=local

Element2_value=6Q046Z5YA4S,DLXFR932DJHG

Location History Report

Setting Up Location Tracking

In order to generate a report containing the last X number of locations for devices, follow the following steps:

1.

Create an Assemble rules file that specifies the following.

Which devices you want to track.

How many past location points you want to keep.

Schedule Assemble to run at the intervals you want to track the devices covered in the rules file.

Run assemble_locationhistory_vX.X.exe when you need to create a report from the recorded locations for devices.

Here is an example of an Assemble rules file for tracking the last 100 reported locations for all iOS devices.

[RuleNum]

numberofrules=1

sleeptime=2000

location_history_entries=100

[Rule1]

NumberofElements=1

Action=location:record

Element1_trigger=platform

Element1_description=record location of iOS devices

Element1_operator=contains

Element1_source=local

Element1_value=iOS

You can schedule Assemble run using this or any other rules file using Window Task Scheduler (see Scheduling Assemble). If the device location has not changed since the last Assemble run, it will not be recorded again. If the device location exceeds the “location_history_entries” settings, the oldest location will be replaced with the newest location.

Creating a Report from Tracked Locations

Once Assemble has been run at least once recording device locations, a report can be generated with all the locations recorded for all devices.

The report can be created ad-hoc or scheduled to be created using Windows Task Schedule.

Run the following command:

C:\Assemble>assemble_locationhistory_v1.0.exe C:\Assemble\reports\location_report

The report location and name, in this case C:\Assemble\reports\location_report, must be specified when running assemble_location_vX.X.exe. A timestamp will be added to the end of the report name. Two reports will be created with the same name, but different formats. One is a CSV and the other is XLS. The XLS report will contains clickable hyperlinks for each recorded location.

The addresses and coordinates in this screen shot are not valid for privacy reasons.

RuleNum Section (from previous documentation)

Section: [RuleNum]

This section defines the number of rules to be compared with each active device on the VSP.

Key: numberofrules

This key indicates how many rules are contained in the INI file.

Example: numberofrules=3

Key: numberofrules_as

This key indicates how many Activesync rules are contained in the INI file.

Example: numberofrules=1

Key: sleeptime

This key controls the number of milliseconds between actions sent to the VSP. For example, if sleeptime is set to 2000 and 50 devices are being retired there will be a pause of 2000 milliseconds for each ‘Retire Device’ API call to keep a flood of API calls from overloading the VSP. The total time to retire all 50 devices will be 100 seconds.

If sleeptime is not set, the default value is set to 2000 milliseconds.

Example: sleeptime=2000

Key:activedevicedownload

This key specifies which active device details are downloaded to run against Assemble rules. There are two options.

1.

activedevicedownload=active

This is the default setting and downloads all active device details regardless of OS or label membership.

2.

activedevicedownload=label:labelname

This setting only downloads active device details for devices that are members of the labelname specified in this INI key value.

Example: activedevicedownload=label:ios

Key: delimiter

This key controls the delimiter that is used for separating multiple element values. If delimiter is not set, Assemble will default to using a comma as a delimiter.

Example: I want to look for three different Samsung model numbers. If the device matches any of them (Boolean OR), I want to apply a label. The element portion of the INI rule file is below.

Element1_trigger=device_model
Element1_description=approved Samsung devices
Element1_operator=contains
Element1_source=local
Element1_value=SGH-I777,SGH-I727,SGH-I957

No special delimiter is needed because the model numbers do not contain commas. Using the default comma delimiter will work for this rule. However in some cases a comma will not work.

I want to apply a label only to Samsung Android devices that have the specific API needed to configure email and device restrictions. The device detail Samsung_DM may need to equal “FW: Key2,0 SW:1.0” or “FW: Key2,0 SW:1.0”

Element1_value= FW: Key2,0 SW:1.0,FW: Key2,0 SW:1.0

If the default comma delimiter is used the element value would be split into four checks instead of two.

1.

FW: Key2

1.

0 SW:1.0

FW: Key2

0 SW:1.0

If I change the delimiter to a different character such as “|” I can get the results I need.

Element1_value= FW: Key2,0 SW:1.0|FW: Key2,0 SW:1.0

1.

FW: Key2,0 SW:1.0

1.

FW: Key2,0 SW:1.0

See the full INI file below:

[RuleNum]

numberofrules=1

sleeptime=2000

delimiter=|

[Rule1]

NumberofElements=2

Action=applylabel:Sales

ActionReason=device in US

Wakeup=yes

SendMessage=no

SendMessageText=Your device is in US.

Element1_trigger=Samsung_DM

Element1_description=Samsung_DM rule

Element1_operator=contains

Element1_source=local

Element1_value= FW: Key2|0 SW:1.0

Key: ad_data

This key indicates if an Active Directory connection is made to support triggers and syslog/report variables that pull user attributes.

Example: ad_data=yes

Key: ad_disabled

This key indicates after an Active Directory connection if the list of disabled accounts will be downloaded. Downloading the list of disabled accounts is necessary when using the trigger ad:disabled which allows actions to be taken against devices registered under AD accounts that are not disabled. By default this key is set to ‘yes’.

Example: ad_disabled=no

Key: devicehistory

This key indicates if all the current details for each device are cached in devicehistory.ini. This file contains details for only the last run of Assemble. It is used with the trigger “history” that allow comparing the current value of a device detail to the previous value.

Key: activedevicefile

This key specifies a cached download of active device details from the VSP. If this key is set, Assemble will not download fresh active device details and will run all rules from the cached device details in the specified file location

Example:

Activedevicefile = “C:\assemble\cache\activedevicedetails.xml”

Key: activedevicecache

This key specifies if and where the download of active device details should be copied. That copied file could be used on a later Assemble run to compare rules against cached device details.

Example:

activedevicecache = “C:\assemble\cache\activedevicedetails.xml”

Key: appnames

This key specified all the app names that need to be checked in any of the rules using the trigger app:managed|unmanaged|installed|notinstalled|any. The app names must be listed here for Assemble to download the data showing which devices have the application(s) installed and if the app is managed or unmanaged. Without this key, the trigger will not function.

Example: anyconnect,angry birds,box

This key can also be set to “all”. This setting is used to create a report that includes all apps installed on a device that matches a rule. It will add the following columns to the report:

1.

AppName

1.

AppVersion

AppManaged

When this setting is used, the setting “reportvar” in the rule must include “uuid”.

Example rule file:

[RuleNum]

numberofrules=1

sleeptime=20

delimeter=,

appnames=all

 

[Rule1]

NumberofElements=2

Action=report

ActionReason=App Report

reportsend=yes

reportname=appreport

reportlocation=C:\MobileIronReports\

reportmessage=AppReport

reportvar=uuid,principal,manufacturer,ModelName,device_model

#email setting only necessary if the report is to be sent as an attachment

#SMTP setting are required. See section SMTP Connection and Authentication

reportemail = yes

sendmailFromName = MI Admin

sendmailFromAddress = [email protected]

sendmailToAddress = [email protected]

sendmailSubject = MobileIron App Report

sendmailBody = MobileIron App Report

sendmailImportance = High

Element1_trigger=platform

Element1_description=Apple iOS

Element1_operator=contains

Element1_source=local

Element1_value=iOS

Element2_elementoperator=OR

Element2_trigger=platform

Element2_description=Google Android

Element2_operator=contains

Element2_source=local

Element2_value=Android

This key has a special setting “Violation” that works with the key appcontroldetails.

*Key: appcontroldetails

*This function requires a user account with both the API role AND the roles Smartphones Inventory, Policies, and Smartphone Manager Settings

This key must be combined with setting the key appnames. When appcontroldetails is set to “yes” AND appnames is set “Violation”, all devices that are violating an app control policy will have the following details for each app included in reports.

1.

AppNum

1.

AppName

AppControl Policy

AppControl Type

Syslog messages will have additional strings “appcontrolapp=appname,appcontrolpolicyname,appcontroltype” added to the end of the syslog message for each app violating the app control policy for the device.

05-03-2012 10:01:06 Auth.Info 192.168.1.10 May 3 10:01:06 JZARRIS-R9B30XG salesdemo.mobileiron.com: SyslogMessage=device violating policy ActionReason=NotFound reportvar=uuid=0 principal=sgomann manufacturer=Apple ModelName=iPad device_model=iPad2,2 apps_managedstatus= lastConnectedAt=2012-04-30T15:42:32+00:00 wifi_mac_addr=NotFound WiFiMAC=3451C95D826B compliance=4160 compliance_Compliant=0 compliance_COMPROMISED=0 compliance_OS_VERSION=0 compliance_HW_VERSION=0 compliance_DATA_PROTECTION=0 compliance_POLICY_OUT_OF_DATE=0 compliance_DEVICE_OUT_OF_CONTACT=0 compliance_APP_CONTROL=1 compliance_PER_MAILBOX_LIMIT=0 compliance_AUTO_BLOCK=0 compliance_MANUAL=0 compliance_EXCHANGE=0 compliance_DEVICE_ADMIN=0 compliance_DISALLOWED_APP=1 compliance_DISALLOWED_APP=1 compliance_ALLOWED_APP=0 compliance_UNKNOWN=0 appcontrolapp=Angry Birds 1.2.0,angry birds,BLACK appcontrolapp=Angry Birds 1.3.0,angry birds,BLACK appcontrolapp=Angry Birds 1.4.0,angry birds,BLACK appcontrolapp=Zillow 5.0.1,Zillow Blacklist,BLACK

[RuleNum]

numberofrules=1

sleeptime=2000

delimeter=,

appnames=Violation

appcontroldetails=yes

[Rule1]

NumberofElements=1

Action=report

Wakeup=no

SendMessage=no

reportsend=yes

reportname= appcontrolpolicyviolated

reportmessage= appcontrolpolicyviolated

reportvar=uuid,principal,manufacturer,ModelName,device_model,apps_managedstatus,lastConnectedAt,wifi_mac_addr,WiFiMAC,compliance,compliance_Compliant,compliance_COMPROMISED,compliance_OS_VERSION,compliance_HW_VERSION,compliance_DATA_PROTECTION,compliance_POLICY_OUT_OF_DATE,compliance_DEVICE_OUT_OF_CONTACT,compliance_APP_CONTROL,compliance_PER_MAILBOX_LIMIT,compliance_AUTO_BLOCK,compliance_MANUAL,compliance_EXCHANGE,compliance_DEVICE_ADMIN,compliance_DISALLOWED_APP,compliance_DISALLOWED_APP,compliance_ALLOWED_APP,compliance_UNKNOWN

reportlocation=C:\Users\userx\Documents\reports\

#uncomment syslog variable to send syslog messages

#syslogsend=yes

#syslogserver=192.168.1.10

#syslogport=514

#syslogmessage=device violating policy

#syslognotice=security.info

#syslogvar=uuid,principal,manufacturer,ModelName,device_model,apps_managedstatus,lastConnectedAt,wifi_mac_addr,WiFiMAC,compliance,compliance_Compliant,compliance_COMPROMISED,compliance_OS_VERSION,compliance_HW_VERSION,compliance_DATA_PROTECTION,compliance_POLICY_OUT_OF_DATE,compliance_DEVICE_OUT_OF_CONTACT,compliance_APP_CONTROL,compliance_PER_MAILBOX_LIMIT,compliance_AUTO_BLOCK,compliance_MANUAL,compliance_EXCHANGE,compliance_DEVICE_ADMIN,compliance_DISALLOWED_APP,compliance_DISALLOWED_APP,compliance_ALLOWED_APP,compliance_UNKNOWN

Element1_trigger=compliancecode

Element1_description=appcontrolpolicyviolated

Element1_operator=equals

Element1_source=local

Element1_value=64

Key: variablealias

This key specifies if aliases will be substituted for device detail names. The device detail to alias mapping must in an INI file.  This allows detail names to be changed in reports to an alias that is more intuitive.  For example the value name "security_state" can be changed to "compromised_status". The name of the INI file is indicated in the setting variablealiaslist.

Example: variablealias=yes

Default: variablealias=no

Key: variablealiaslist

This key specifies the name of the device detail to alias mapping INI file. The INI file must reside in the current working directory. If it is not, you much specify the full file path surrounded by double quotes.

Examples:

variablealiaslist=assemble_alias.ini

variablealiaslist= "c:\assemble\assemble_alias.ini"

The device detail to alias mapping must be located under an INI section called [alias]. The device detail name is the INI key and the alias is the key value.

[alias]

security_state=compromised_status

principal=username

Key: valuetranslate

This key specifies if device detail values will be translated into other values. This allows values that may be confusing to read to be translated into a more human readable format.

The device detail values to translated values mapping must in an INI file. The name of the INI file is indicated in the setting valuetranslatelist.

Example: valuetranslate=yes

Key: valuetranslatelist

This key specifies the name of the device detail values to translated values mapping INI file. The INI file must reside in the current working directory. If it is not, you much specify the full file path surrounded by double quotes.

Examples:

valuetranslatelist=assemble_translate.ini

valuetranslatelist="c:\assemble\assemble_translate.ini"

Any device detail value can be translated.

Example: security_state

The device detail security_state indicates if a device is compromised. In the case of iOS this means jailbroken. In the case of Android this means rooted. The values for security_state can be confusing.

iOS security_state values

a)

0

This indicates the iOS device is compromised/jailbroken.

b)

1

This indicates the iOS device is not compromised/jailbroken.

Android security_state values

a)

Compromised

This indicates the Android device is compromised/rooted.

b)

Ok

This indicates the Android device is not compromised/rooted.

To translate these values into a more readable format, create a section in the INI file for the device detail. Then create keys for each of the default values and the desired translated value.

[security_state]

0=compromised

1=not compromised

Compromised=compromised

Ok=not compromised

With these settings, both iOS and Android will show either a) compromised or b) not compromised in reports instead of 0, 1, Compromised or Ok.

Key: wget

This key controls whether the Internet Explorer engine or wget is utilized to download all device details via the VSP API. There are rare instances when the API https://vsp/api/v1/dm/devices can return null characters in the XML response. The Internet Explorer engine cannot process null characters and will cause Assemble to receive incomplete information. Wget can process the null characters and once the raw XML file is downloaded, Assemble can strip the null characters from the XML file for correct processing of Assemble rules.

If you believe you are encountering null characters in the XML returned by the API https://vsp/api/v1/dm/devices, set wget to “yes”.

The default setting is wget=no.

Example: wget=yes

Key: activesyncreport

An optional Sentry ActiveSync Device CSV report can be created.

This key specifies if Sentry ActiveSync device details will be exported into a CSV report. The default setting is “no”.

Example: activesyncreport = yes

Key: activesyncreportlocation

This key specifies the location of the CSV file in the local file system. The path must include the trailing backslash. The default value is “\”.

Example: activesyncreportlocation = C:\users\jsmith\

Key: activesyncreportname

This key specifies the name of the CSV report. The default value is “MI_Assemble_ActiveSync_Report”.

Example: activesyncreportname = ActiveSyncReport

Key: activesyncreporttimestamp

This key specifies if a date/time stamp should be added to the end of the report name at run time. The default value is “yes”.

Example: activesyncreporttimestamp = yes

Key: activesyncreportmessage

This key specifies a custom string to be inserted into the column activesyncreportmessage. The default value is “MI VSP Activesync report message”.

Example: activesyncreportmessage = Daily ActiveSync Report

Key: activesyncreportemail

This key specifies if the CSV report will be sent as an email attachment. The default value is “no”.

Example: activesyncreportemail = yes

Key: activesyncreportFromAddress

This key specifies the From email address. The default is blank.

Example: activesyncreportFromAddress = [email protected]

Key: activesyncreportToAddress

The key specifies the To email addresses. The default is blank.

Example: activesyncreportToAddress = [email protected], [email protected]

Key: activesyncreportSubject

This key specifies the subject of the email. The default is MobileIron ActiveSync Report.

Example: activesyncreportSubject = Company X Daily ActiveSync Report

Key: activesyncreportBody

The key specifies the body of the email. The default is blank.

Example: activesyncreportBody = This is a daily MobileIron ActiveSync report.

Key: activesyncreportImportance

This key specifies the importance flag of the email. The default is Normal.

Example: activesyncreportImportance = Important

**Key: log_mifs

This key specifies if the VSP MIFS log file should be downloaded. This function is utilized to send MIFS log entries as syslog messages.

**NOTE: Enabling this function requires the VSP username and password have access to the MICS or System side of the VSP GUI.

Example: log_mifs=yes

Key: log_mifs_age

This key specifies which of the log file entries to send via syslog based on the time stamp. The key represents the number of minutes in the past from the current run time of Assemble. If the key is set to 60 and the current time is 11:00 UTC, all log file entries from 10:00 to 11:00 UTC will match and be sent via syslog.

Example: log_mifs_age=60

Key: log_syslogport

This key specifies the UDP port for sending MIFS log file entry syslog messages.

Example: log_syslogport=514

Key: log_syslogserver

This key specifies the syslog server IP or FQDN for sending MIFS log file entry syslog messages.

Example: log_syslogserver=192.168.1.100

Key: log_syslognotice

This key specifies the syslog notice level for sending MIFS log file entry syslog messages.

Example: log_syslognotice=security.info

Key: log_syslogmessage

This key specifies a custom message sent with MIFS log file entry syslog messages.

Example: log_syslogmessage=mifs_log

Key: log_actionreason

This key specifies a second custom message sent with MIFS log file entry syslog messages.

Example: log_actionreason=MIFS_Log_Entry

*Key: ios_mdm_watchlist

This key specifies if the iOS MDM Watchlist should be downloaded for creating a CSV report.

Example: ios_mdm_watchlist=yes

*This key requires a user account with both the API role AND the roles Smartphones Inventory, Policies, Apps/File Catalogs and Smartphone Manager Settings

Key: ios_mdm_location

This key specifies the location of the iOS MDM Watchlist report called iOS_MDM_Watchlist.csv.

Example: ios_mdm_location="C:\Assemble\reports\"

*Key: mdm_redemption_log

This key specifies if the MDM Apply Redemption Code log should be downloaded from the VSP to create a CSV report. This report show which VPP tokens were sent with the following information:

1.

Date/Time sent

1.

Phone Number

Application Identifier

Redemption Code

Username

Example: mdm_redemption_log = yes

Note:  Currently, there is no way to definitively know which redemption codes that were handed out were not used (i.e. the user already owned the app). You can infer from the logs if a code is handed out multiple times in a row that it was not used. If a new code is handed out for the same app the next time a user requests it, that means the last code was used.

*This key requires a user account with both the API role AND the roles Smartphones Inventory, Policies, Apps/File Catalogs and Smartphone Manager Settings

Key: mdm_redemption _location

This key specifies the location of the MDM Apply Redemption Code report called iOS_MDM_VPP_Redemption.csv.

Example: mdm_redemption _location ="C:\Assemble\reports\"

Key: mdm_redemption_days

This key specifies how many days of logs ending at the current date and time to request MDM Apply Redemption Code data.

Example: mdm_redemption_days=-250

*Key: mdm_erase_log

This key specifies if the MDM Erase Device Log should be downloaded for creating a CSV report.

Example: mdm_erase_log=yes

*This key requires a user account with both the API role AND the roles Smartphones Inventory, Policies, Apps/File Catalogs and Smartphone Manager Settings

This report shows which devices were sent wipe command and the state of the wipe.

1. Acknowledged

2. Administratively Cancelled

3. Internal error

4. Programatically Cancelled

5. Waiting - checkin pending

Key: mdm_erase_log_location

This key specifies the location of the MDM Erase Device Log report called mdm_erase_log.csv.

Example: mdm_erase_log_location="C:\Assemble\reports\"

Key: location_history_entries

This key specifies the number of past locations that will be saved in location_history.ini. When the limit is reached the oldest location is replaced with the newest location each time Assemble is run.

Example: location_history_entries=100

*Key: vspdetails

This key is set to “yes” for functions that require access to the VSP administration GUI. An example is the trigger “registeredon”. The device detail “Registered On” is not available in the API and must be pulled from the VSP administration GUI.

*This trigger requires a user account with both the API role AND the roles Smartphones Inventory, Policies, and Smartphone Manager Settings.

Key: bulkimport

This key allows the import of CSV files to bulk register devices. The location of the CSV files are specified with the key “bulkimportlocation”. Assemble will read each CSV file in the specified location and register using each line in the CSV files. After the CSV files are read, each CSV file is renamed with the suffix “.bak” added. This ensures that the same CSV is not read and bulk registered again.

Note: The CSV files cannot be opened and locked when Assemble is run or they cannot be renamed. If they are not renamed, the next Assemble run will create redundant registrations for all CSV file entries.

A new log file called bulkimport_year_month_monthday_hour_minute.log will be created for each Assemble run. The log file will also be copied to the location specified in the key “bulkdimportlocation”.

Example:

bulkimport=yes

Sample rules.ini file:

[RuleNum]

numberofrules=0

sleeptime=2000

bulkimport=yes

bulkimportlocation="\\192.168.1.103\mobileiron\csv\"

Bulk Register CSV Format

phoneNumber,userID,operator,isEmployeeOwned,platform,deviceType,importUserFromLdap,userFirstName,userLastName,userEmailAddress,notifyUser,countryCode

5555551111,jsmith, AT&T,TRUE,I,Phone,TRUE,,,,TRUE,1

5555551112,asmith,AT&T,TRUE,I,Phone,TRUE,,,,TRUE,1

5555551113,tsmith,Verizon,TRUE,I,Phone,TRUE,,,,TRUE,1

,ssmith,,TRUE,I,PDA,FALSE,sam,smith,[email protected],TRUE,

 

phoneNumber	Required.
userId	Required.
Operator	String indicating operator. This field will be updated after registration if the VSP can find the operator based on the phoneNumber entry.
isEmployeeOwned	True indicates the device is owned by the employee.False indicates it is owned by the company. Default is false.
Platform	Required. Platform or operating system of the device. Valid values:W - Windows MobileI - iOSP- Palm webOS A- Android
deviceType	Device type can be a phone or PDA. Valid values : Phone, PDAIf device is a PDA, then phone number is optional.
importUserFromLdap
userFirstName	Required for local user. User’s first name.
userLastName	Required for local user. User’s last name.
userEmailAddress	Required for local user. User’s email address.
notifyUser	True indicates user should be notified of registration by email/SMS.False indicates user should not be notified.
countryCode	Required. Country code of the operator.

 

Key: bulkimportlocation

This key specifies the location of the CSV files used for bulk registration when the key “bulkimport” is set to “yes”. All CSV files in the location will be read. After they have been read, each CSV file is renamed with the suffix “.bak” added. This ensures that the same CSV is not read and bulk registered again.

Note: The CSV files cannot be opened and locked when Assemble is run or they cannot be renamed. If they are not renamed, the next Assemble run will create redundant registrations for all CSV file entries.

Examples:

bulkimportlocation="\\192.168.1.103\mobileiron\bulkimport\"

OR

bulkimportlocation="C: \mobileiron\bulkimport\"

Bulk Register CSV Format

Bulk Register CSV Format:

phoneNumber,userID,operator,isEmployeeOwned,platform,deviceType,importUserFromLdap,userFirstName,userLastName,userEmailAddress,notifyUser,countryCode

5555551111,jsmith, AT&T,TRUE,I,Phone,TRUE,,,,TRUE,1

5555551112,asmith,AT&T,TRUE,I,Phone,TRUE,,,,TRUE,1

5555551113,tsmith,Verizon,TRUE,I,Phone,TRUE,,,,TRUE,1

,ssmith,,TRUE,I,PDA,FALSE,sam,smith,[email protected],TRUE,

 

phoneNumber	Required.
userId	Required.
Operator	String indicating operator. This field will be updated after registration if the VSP can find the operator based on the phoneNumber entry.
isEmployeeOwned	True indicates the device is owned by the employee.False indicates it is owned by the company. Default is false.
Platform	Required. Platform or operating system of the device. Valid values:W - Windows MobileI - iOSP- Palm webOS A- Android
deviceType	Device type can be a phone or PDA. Valid values : Phone, PDAIf device is a PDA, then phone number is optional.
importUserFromLdap	True – import the matching user from LDAP.False –create a local user. If a local user does not exist with the input userid, then a new local user is created. For local users, first name, last name, and email address are required.
userFirstName	Required for local user. User’s first name.
userLastName	Required for local user. User’s last name.
userEmailAddress	Required for local user. User’s email address.
notifyUser	True indicates user should be notified of registration by email/SMS.False indicates user should not be notified.
countryCode	Required. Country code of the operator.

V2 API Field Groups

This index lists the fields returned for the V2 API field groups BASIC, COMMON,ANDROID,IOS,USER and WINDOWS_PHONE.

BASIC

Current Operator Name

Current Phone Number

Device Owner

Display Name

Email Address

Home Country Name

Language

Last Check-In

Manufacturer

Model

Passcode

Passcode Expiration Time

Platform Name

Registration Date

Status

 

 

COMMON

APNS Capable

Background Status

Battery Level

Block Reason

Blocked

Cellular Technology

Client Build Date

Client Id

Client Last Check-in

Client Name

Client Version

Comment

Compliant

Creation Date

Current Country Code

Current Country Name

Current Operator Name

Current Phone Number

Device Admin Enabled

Device Is Compromised

Device Locale

Device Owner

Device Space

Display Size

EAS Last Sync Time

Ethernet MAC

Home Country Code

Home Country Name

Home Operator Name

Home Phone Number

IMEI

IMSI

IP Address

Language

Last Check-In

Manufacturer

MDM Managed

Memory Capacity

Memory Free

Model

Model Name

Non-compliance Reason

OS Version

Passcode

Passcode Expiration Time

Platform

Platform Name

Processor Architecture

Quarantined

Quarantined Reason

Registration Date

Registration IMSI

Registration UUID

Retired

Roaming

Security State

Status

Storage Capacity

Storage Free

Wi-Fi MAC

 

ANDROID

Admin Activated

Attestation

Brand

C2DM Token

Code Name

Device

Device Roaming Flag

Incremental

Manufacturer OS Version

MDM Enabled

Media Card Capacity

Media Card Free

Multi MDM

OS Build Number

OS Update Path

OS Update Status

Platform Flags

Samsung KNOX Version

Samsung SAFE Version

Secure Apps Enabled

Secure Apps Encryption Enabled

Secure Apps Encryption Mode

Security Detail

USB Debugging

 

 

IOS

Activation Lock Bypass Code

Activation Lock Is Enabled

APNS Token

Bluetooth MAC

Build Version

Carrier Settings Version

Current Mobile Country Code

Current Mobile Network Code

Data Protection

Data Roaming Enabled

Device Locator Service Is Enabled

Device Name

Do Not Disturb Is In Effect

Force Encrypted Backup

Hardware Encryption Caps

iCloud Backup Is Enabled

iOS Background Status

iPhone ICCID

iPhone Mac Address

iPhone Product

iPhone UDID

iPhone User ID

iPhone User Long Name

iPhone User Short Name

iPhone Version

IT Policy Result

iTunes Store Account Hash

iTunes Store Account Is Active

Last iCloud Backup Date

Modem Firmware Version

Passcode Compliant

Passcode Compliant with Profiles

Passcode Present

Product Name

Security Reason Code

Serial Number

Signal Strength

Subscriber Carrier Network

Subscriber MCC

Subscriber MNC

Supervised

Voice Roaming Enabled

VPN IP Address

Wakeup Status

 

USER

Attribute Distinguished Name

c

cn

custom1

custom2

custom3

custom4

Display Name

displayName

distinguishedName

Email Address

First Name

givenName

Last Admin Portal Login Time

Last Name

LDAP Group Distinguished Name

LDAP User Distinguished Name

LDAP User Locale

mail

memberOf

Name

Principal

SAMAccountName

sAMAccountName

sn

upn

User UUID

userPrincipalName

 

 

WINDOWS_PHONE

Cert Renewal Timestamp

DM Client Version

DM ID

Exchange ID

Firmware Version

Hardware Version

IMEI2

IMSI2

Local Time

Network Adapter

Phone Number2

Processor Type

Processor Type Description

Signed DM ID

WNS Channel URL

WP Management Service Address

WP Publisher Device ID

WP Radio SWV

WP Roaming

WP Roaming2

Assemble_TLS1.2 fix

Windows Registry Editor Version 5.00

Register TSL 1.2 Client Protocol

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]

"Enabled"=dword:ffffffff

"DisabledByDefault"=dword:00000000

Configure TLS 1.2 to be default in 32 bit applications

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]

"DefaultSecureProtocols"=dword:00000800

Configure TLS 1.2 to be default in 64 bit applications

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]

"DefaultSecureProtocols"=dword:00000800